Edit tour

Windows Analysis Report
Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

Overview

General Information

Sample name:	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe
Analysis ID:	1579020
MD5:	346f96d373a4724cef30348c4cd4c3a3
SHA1:	cd00708468a02533b41f6d4d54fabfd5ce6b22cc
SHA256:	7652d55f845a4914f76058c418df4da0c65f7df5f0febb2aded459ae0b75be61
Tags:	exeuser-lowmal3
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected Telegram RAT

Yara detected UAC Bypass using CMSTP

.NET source code contains very large strings

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Disables UAC (registry)

Drops large PE files

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe (PID: 1004 cmdline: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe" MD5: 346F96D373A4724CEF30348C4CD4C3A3)

powershell.exe (PID: 5932 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

InstallUtil.exe (PID: 1344 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

Trading_AIBot.exe (PID: 2800 cmdline: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" MD5: E91A1DB64F5262A633465A0AAFF7A0B0)

powershell.exe (PID: 7300 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7540 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7336 cmdline: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 11:51 /du 23:59 /sc daily /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

apihost.exe (PID: 7884 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" MD5: 7E1AF0EA4EF8E299AA3EE3FB4837AEBF)

Microsofts.exe (PID: 3796 cmdline: "C:\Users\user\AppData\Local\Temp\Microsofts.exe" MD5: F6B8018A27BCDBAA35778849B586D31B)

InstallUtil.exe (PID: 7048 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

WerFault.exe (PID: 6128 cmdline: C:\Windows\system32\WerFault.exe -u -p 1004 -s 1052 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "server1@massmaesure.com", "Password": "london@1759", "Server": "lax029.hawkhost.com", "To": "server2@massmaesure.com", "Port": 587}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Microsofts.exe	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
C:\Users\user\AppData\Local\Temp\Microsofts.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\Microsofts.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Local\Temp\Microsofts.exe	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101cd:$a1: get_encryptedPassword 0x10509:$a2: get_encryptedUsername 0xff5a:$a3: get_timePasswordChanged 0x1007b:$a4: get_passwordField 0x101e3:$a5: set_encryptedPassword 0x11bb3:$a7: get_logins 0x11864:$a8: GetOutlookPasswords 0x11642:$a9: StartKeylogger 0x11b03:$a10: KeyLoggerEventArgs 0x1169f:$a11: KeyLoggerEventArgsEventHandler
C:\Users\user\AppData\Local\Temp\Microsofts.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.3193754650.0000000002ADF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2210904029.00000251BB4FE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000A.00000000.1965703472.00000000007A2000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000A.00000000.1965703472.00000000007A2000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000000.1965703472.00000000007A2000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000000.1965703472.00000000007A2000.00000002.00000001.01000000.0000000A.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xffcd:$a1: get_encryptedPassword 0x10309:$a2: get_encryptedUsername 0xfd5a:$a3: get_timePasswordChanged 0xfe7b:$a4: get_passwordField 0xffe3:$a5: set_encryptedPassword 0x119b3:$a7: get_logins 0x11664:$a8: GetOutlookPasswords 0x11442:$a9: StartKeylogger 0x11903:$a10: KeyLoggerEventArgs 0x1149f:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.1983203709.00000000040B4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000004.00000002.1983203709.00000000040B4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1983203709.00000000040B4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.1983203709.00000000040B4000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2996d:$a1: get_encryptedPassword 0x41b9d:$a1: get_encryptedPassword 0x59dbd:$a1: get_encryptedPassword 0x29ca9:$a2: get_encryptedUsername 0x41ed9:$a2: get_encryptedUsername 0x5a0f9:$a2: get_encryptedUsername 0x296fa:$a3: get_timePasswordChanged 0x4192a:$a3: get_timePasswordChanged 0x59b4a:$a3: get_timePasswordChanged 0x2981b:$a4: get_passwordField 0x41a4b:$a4: get_passwordField 0x59c6b:$a4: get_passwordField 0x29983:$a5: set_encryptedPassword 0x41bb3:$a5: set_encryptedPassword 0x59dd3:$a5: set_encryptedPassword 0x2b353:$a7: get_logins 0x43583:$a7: get_logins 0x5b7a3:$a7: get_logins 0x2b004:$a8: GetOutlookPasswords 0x43234:$a8: GetOutlookPasswords 0x5b454:$a8: GetOutlookPasswords
0000000A.00000002.3193754650.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe PID: 1004	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe PID: 1004	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: InstallUtil.exe PID: 1344	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: InstallUtil.exe PID: 1344	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 1344	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: InstallUtil.exe PID: 1344	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10f55:$a1: get_encryptedPassword 0x11282:$a2: get_encryptedUsername 0x10cf6:$a3: get_timePasswordChanged 0x10e17:$a4: get_passwordField 0x10f6b:$a5: set_encryptedPassword 0x128dd:$a7: get_logins 0x1258e:$a8: GetOutlookPasswords 0x1236c:$a9: StartKeylogger 0x1282d:$a10: KeyLoggerEventArgs 0x123c9:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Microsofts.exe PID: 3796	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Microsofts.exe PID: 3796	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Microsofts.exe PID: 3796	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Microsofts.exe PID: 3796	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x28d89:$a1: get_encryptedPassword 0x290b6:$a2: get_encryptedUsername 0x28b2a:$a3: get_timePasswordChanged 0x28c4b:$a4: get_passwordField 0x28d9f:$a5: set_encryptedPassword 0x2a711:$a7: get_logins 0x2a3c2:$a8: GetOutlookPasswords 0x2a1a0:$a9: StartKeylogger 0x2a661:$a10: KeyLoggerEventArgs 0x2a1fd:$a11: KeyLoggerEventArgsEventHandler
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.InstallUtil.exe.40cd7a0.5.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.InstallUtil.exe.40cd7a0.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.InstallUtil.exe.40cd7a0.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.InstallUtil.exe.40cd7a0.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe3cd:$a1: get_encryptedPassword 0xe709:$a2: get_encryptedUsername 0xe15a:$a3: get_timePasswordChanged 0xe27b:$a4: get_passwordField 0xe3e3:$a5: set_encryptedPassword 0xfdb3:$a7: get_logins 0xfa64:$a8: GetOutlookPasswords 0xf842:$a9: StartKeylogger 0xfd03:$a10: KeyLoggerEventArgs 0xf89f:$a11: KeyLoggerEventArgsEventHandler
4.2.InstallUtil.exe.40cd7a0.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x13623:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12b21:$a3: \Google\Chrome\User Data\Default\Login Data 0x12e2f:$a4: \Orbitum\User Data\Default\Login Data 0x13c27:$a5: \Kometa\User Data\Default\Login Data
10.0.Microsofts.exe.7a0000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
10.0.Microsofts.exe.7a0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.0.Microsofts.exe.7a0000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.0.Microsofts.exe.7a0000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101cd:$a1: get_encryptedPassword 0x10509:$a2: get_encryptedUsername 0xff5a:$a3: get_timePasswordChanged 0x1007b:$a4: get_passwordField 0x101e3:$a5: set_encryptedPassword 0x11bb3:$a7: get_logins 0x11864:$a8: GetOutlookPasswords 0x11642:$a9: StartKeylogger 0x11b03:$a10: KeyLoggerEventArgs 0x1169f:$a11: KeyLoggerEventArgsEventHandler
10.0.Microsofts.exe.7a0000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x15423:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14921:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c2f:$a4: \Orbitum\User Data\Default\Login Data 0x15a27:$a5: \Kometa\User Data\Default\Login Data
4.2.InstallUtil.exe.40e59d0.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.InstallUtil.exe.40e59d0.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.InstallUtil.exe.40e59d0.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.InstallUtil.exe.40e59d0.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe3cd:$a1: get_encryptedPassword 0xe709:$a2: get_encryptedUsername 0xe15a:$a3: get_timePasswordChanged 0xe27b:$a4: get_passwordField 0xe3e3:$a5: set_encryptedPassword 0xfdb3:$a7: get_logins 0xfa64:$a8: GetOutlookPasswords 0xf842:$a9: StartKeylogger 0xfd03:$a10: KeyLoggerEventArgs 0xf89f:$a11: KeyLoggerEventArgsEventHandler
4.2.InstallUtil.exe.40e59d0.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x13623:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12b21:$a3: \Google\Chrome\User Data\Default\Login Data 0x12e2f:$a4: \Orbitum\User Data\Default\Login Data 0x13c27:$a5: \Kometa\User Data\Default\Login Data
4.2.InstallUtil.exe.40fdbf0.6.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.InstallUtil.exe.40fdbf0.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.InstallUtil.exe.40fdbf0.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.InstallUtil.exe.40fdbf0.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe3cd:$a1: get_encryptedPassword 0xe709:$a2: get_encryptedUsername 0xe15a:$a3: get_timePasswordChanged 0xe27b:$a4: get_passwordField 0xe3e3:$a5: set_encryptedPassword 0xfdb3:$a7: get_logins 0xfa64:$a8: GetOutlookPasswords 0xf842:$a9: StartKeylogger 0xfd03:$a10: KeyLoggerEventArgs 0xf89f:$a11: KeyLoggerEventArgsEventHandler
4.2.InstallUtil.exe.40fdbf0.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x13623:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12b21:$a3: \Google\Chrome\User Data\Default\Login Data 0x12e2f:$a4: \Orbitum\User Data\Default\Login Data 0x13c27:$a5: \Kometa\User Data\Default\Login Data
4.2.InstallUtil.exe.40fdbf0.6.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.InstallUtil.exe.40fdbf0.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.InstallUtil.exe.40fdbf0.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.InstallUtil.exe.40fdbf0.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101cd:$a1: get_encryptedPassword 0x10509:$a2: get_encryptedUsername 0xff5a:$a3: get_timePasswordChanged 0x1007b:$a4: get_passwordField 0x101e3:$a5: set_encryptedPassword 0x11bb3:$a7: get_logins 0x11864:$a8: GetOutlookPasswords 0x11642:$a9: StartKeylogger 0x11b03:$a10: KeyLoggerEventArgs 0x1169f:$a11: KeyLoggerEventArgsEventHandler
4.2.InstallUtil.exe.40fdbf0.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x15423:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14921:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c2f:$a4: \Orbitum\User Data\Default\Login Data 0x15a27:$a5: \Kometa\User Data\Default\Login Data
4.2.InstallUtil.exe.40e59d0.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.InstallUtil.exe.40e59d0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.InstallUtil.exe.40e59d0.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.InstallUtil.exe.40e59d0.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101cd:$a1: get_encryptedPassword 0x283ed:$a1: get_encryptedPassword 0x10509:$a2: get_encryptedUsername 0x28729:$a2: get_encryptedUsername 0xff5a:$a3: get_timePasswordChanged 0x2817a:$a3: get_timePasswordChanged 0x1007b:$a4: get_passwordField 0x2829b:$a4: get_passwordField 0x101e3:$a5: set_encryptedPassword 0x28403:$a5: set_encryptedPassword 0x11bb3:$a7: get_logins 0x29dd3:$a7: get_logins 0x11864:$a8: GetOutlookPasswords 0x29a84:$a8: GetOutlookPasswords 0x11642:$a9: StartKeylogger 0x29862:$a9: StartKeylogger 0x11b03:$a10: KeyLoggerEventArgs 0x29d23:$a10: KeyLoggerEventArgs 0x1169f:$a11: KeyLoggerEventArgsEventHandler 0x298bf:$a11: KeyLoggerEventArgsEventHandler
4.2.InstallUtil.exe.40e59d0.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x15423:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2d643:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14921:$a3: \Google\Chrome\User Data\Default\Login Data 0x2cb41:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c2f:$a4: \Orbitum\User Data\Default\Login Data 0x2ce4f:$a4: \Orbitum\User Data\Default\Login Data 0x15a27:$a5: \Kometa\User Data\Default\Login Data 0x2dc47:$a5: \Kometa\User Data\Default\Login Data
4.2.InstallUtil.exe.40cd7a0.5.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.InstallUtil.exe.40cd7a0.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.InstallUtil.exe.40cd7a0.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.InstallUtil.exe.40cd7a0.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101cd:$a1: get_encryptedPassword 0x283fd:$a1: get_encryptedPassword 0x4061d:$a1: get_encryptedPassword 0x10509:$a2: get_encryptedUsername 0x28739:$a2: get_encryptedUsername 0x40959:$a2: get_encryptedUsername 0xff5a:$a3: get_timePasswordChanged 0x2818a:$a3: get_timePasswordChanged 0x403aa:$a3: get_timePasswordChanged 0x1007b:$a4: get_passwordField 0x282ab:$a4: get_passwordField 0x404cb:$a4: get_passwordField 0x101e3:$a5: set_encryptedPassword 0x28413:$a5: set_encryptedPassword 0x40633:$a5: set_encryptedPassword 0x11bb3:$a7: get_logins 0x29de3:$a7: get_logins 0x42003:$a7: get_logins 0x11864:$a8: GetOutlookPasswords 0x29a94:$a8: GetOutlookPasswords 0x41cb4:$a8: GetOutlookPasswords
4.2.InstallUtil.exe.40cd7a0.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x15423:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2d653:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x45873:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14921:$a3: \Google\Chrome\User Data\Default\Login Data 0x2cb51:$a3: \Google\Chrome\User Data\Default\Login Data 0x44d71:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c2f:$a4: \Orbitum\User Data\Default\Login Data 0x2ce5f:$a4: \Orbitum\User Data\Default\Login Data 0x4507f:$a4: \Orbitum\User Data\Default\Login Data 0x15a27:$a5: \Kometa\User Data\Default\Login Data 0x2dc57:$a5: \Kometa\User Data\Default\Login Data 0x45e77:$a5: \Kometa\User Data\Default\Login Data
Click to see the 30 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe", ParentImage: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe, ParentProcessId: 1004, ParentProcessName: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe" -Force, ProcessId: 5932, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ProcessId: 2800, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 11:51 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 11:51 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 2800, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 11:51 /du 23:59 /sc daily /ri 1 /f, ProcessId: 7336, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe", ParentImage: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe, ParentProcessId: 1004, ParentProcessName: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe" -Force, ProcessId: 5932, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-20T17:46:04.987142+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49736	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 10.0.Microsofts.exe.7a0000.0.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "server1@massmaesure.com", "Password": "london@1759", "Server": "lax029.hawkhost.com", "To": "server2@massmaesure.com", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	ReversingLabs: Detection: 79%

Multi AV Scanner detection for submitted file

Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.2210904029.00000251BB4FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe PID: 1004, type: MEMORYSTR

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49738 version: TLS 1.0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.log

Jump to behavior

Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.pdb@ source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: mscorlib.pdb source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdbRSDS source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.pdbP source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.Drawing.pdb source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdb source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.Core.pdb source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdb source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.pdb source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdb source: WER2C3F.tmp.dmp.8.dr

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then jmp 01077394h	9_2_01077188
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then jmp 010778DCh	9_2_01077688
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	9_2_01077E60
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then jmp 010778DCh	9_2_0107767A
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	9_2_01077E58
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 02A45782h	10_2_02A45367
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 02A451B9h	10_2_02A44F08
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 02A45782h	10_2_02A456AF
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 4x nop then jmp 059FBCBDh	16_2_059FBA40

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242
Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49736 -> 158.101.44.242:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49738 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: Microsofts.exe, 0000000A.00000002.3193754650.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Microsofts.exe, 0000000A.00000002.3193754650.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: Microsofts.exe, 0000000A.00000002.3193754650.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000002.3193754650.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Microsofts.exe, 0000000A.00000002.3193754650.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Microsofts.exe, 0000000A.00000002.3193754650.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: InstallUtil.exe, 00000004.00000002.1983203709.00000000040B4000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000000.1965703472.00000000007A2000.00000002.00000001.01000000.0000000A.sdmp, Microsofts.exe.4.dr	String found in binary or memory: http://checkip.dyndns.org/q
Source: Microsofts.exe, 0000000A.00000002.3193754650.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: powershell.exe, 0000000B.00000002.2080271571.0000000007D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 0000000B.00000002.2073622854.00000000057BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.2055263861.00000000048A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Microsofts.exe, 0000000A.00000002.3193754650.0000000002B1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Microsofts.exe, 0000000A.00000002.3193754650.0000000002B1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: powershell.exe, 0000000B.00000002.2055263861.00000000048A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Microsofts.exe, 0000000A.00000002.3193754650.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2055263861.0000000004751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000B.00000002.2055263861.00000000048A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000B.00000002.2055263861.00000000048A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000B.00000002.2055263861.0000000004751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: InstallUtil.exe, 00000004.00000002.1983203709.00000000040B4000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000000.1965703472.00000000007A2000.00000002.00000001.01000000.0000000A.sdmp, Microsofts.exe.4.dr	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: powershell.exe, 0000000B.00000002.2073622854.00000000057BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.2073622854.00000000057BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.2073622854.00000000057BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000B.00000002.2055263861.00000000048A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000B.00000002.2073622854.00000000057BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Microsofts.exe, 0000000A.00000002.3193754650.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: InstallUtil.exe, 00000004.00000002.1983203709.00000000040B4000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000002.3193754650.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000000.1965703472.00000000007A2000.00000002.00000001.01000000.0000000A.sdmp, Microsofts.exe, 0000000A.00000002.3193754650.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe.4.dr	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Microsofts.exe, 0000000A.00000002.3193754650.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: Microsofts.exe, 0000000A.00000002.3193754650.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: Microsofts.exe, 0000000A.00000002.3193754650.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.1dZ
Source: Microsofts.exe, 0000000A.00000002.3193754650.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org34

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: Microsofts.exe.4.dr, UltraSpeed.cs

.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: Microsofts.exe.4.dr, UltraSpeed.cs

.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.InstallUtil.exe.40cd7a0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.InstallUtil.exe.40cd7a0.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.0.Microsofts.exe.7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.0.Microsofts.exe.7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.InstallUtil.exe.40e59d0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.InstallUtil.exe.40e59d0.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.InstallUtil.exe.40fdbf0.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.InstallUtil.exe.40fdbf0.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.InstallUtil.exe.40fdbf0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.InstallUtil.exe.40fdbf0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.InstallUtil.exe.40e59d0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.InstallUtil.exe.40e59d0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.InstallUtil.exe.40cd7a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.InstallUtil.exe.40cd7a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000A.00000000.1965703472.00000000007A2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.1983203709.00000000040B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 1344, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Microsofts.exe PID: 3796, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth

.NET source code contains very large strings

Source: Trading_AIBot.exe.4.dr, cfRDgxIJtEfCD.cs

Long String: Length: 17605

Drops large PE files

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

File dump: apihost.exe.9.dr 665670656

Jump to dropped file

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Code function: 0_2_00007FFD9A51C310	0_2_00007FFD9A51C310
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Code function: 0_2_00007FFD9A516110	0_2_00007FFD9A516110
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Code function: 0_2_00007FFD9A513EC3	0_2_00007FFD9A513EC3
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Code function: 0_2_00007FFD9A517680	0_2_00007FFD9A517680
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Code function: 0_2_00007FFD9A517688	0_2_00007FFD9A517688
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Code function: 0_2_00007FFD9A51EFD0	0_2_00007FFD9A51EFD0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Code function: 0_2_00007FFD9A51E764	0_2_00007FFD9A51E764
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Code function: 0_2_00007FFD9A5234BE	0_2_00007FFD9A5234BE
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Code function: 0_2_00007FFD9A527C75	0_2_00007FFD9A527C75
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Code function: 0_2_00007FFD9A510B40	0_2_00007FFD9A510B40
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Code function: 0_2_00007FFD9A513AFF	0_2_00007FFD9A513AFF
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Code function: 0_2_00007FFD9A52A0AD	0_2_00007FFD9A52A0AD
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Code function: 0_2_00007FFD9A5157A4	0_2_00007FFD9A5157A4
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Code function: 0_2_00007FFD9A521855	0_2_00007FFD9A521855
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Code function: 0_2_00007FFD9A527CD8	0_2_00007FFD9A527CD8
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Code function: 0_2_00007FFD9A527549	0_2_00007FFD9A527549
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Code function: 0_2_00007FFD9A650000	0_2_00007FFD9A650000
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 10_2_02A4C168	10_2_02A4C168
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 10_2_02A4CAB0	10_2_02A4CAB0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 10_2_02A47E68	10_2_02A47E68
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 10_2_02A44F08	10_2_02A44F08
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 10_2_02A4C387	10_2_02A4C387
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 10_2_02A4CAAF	10_2_02A4CAAF
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 10_2_02A4B9E0	10_2_02A4B9E0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 10_2_02A4B9DC	10_2_02A4B9DC
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 10_2_02A44EF8	10_2_02A44EF8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 10_2_02A47E67	10_2_02A47E67
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 10_2_02A42DD1	10_2_02A42DD1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_0293B4A0	11_2_0293B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_0293B490	11_2_0293B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_081D3A98	11_2_081D3A98
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 16_2_059F1B94	16_2_059F1B94
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 16_2_059FDAAC	16_2_059FDAAC
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 16_2_059F25B8	16_2_059F25B8
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 16_2_059F25A8	16_2_059F25A8
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 16_2_059FE608	16_2_059FE608
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 16_2_059F4174	16_2_059F4174
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 16_2_059F1D20	16_2_059F1D20
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 16_2_059F1B88	16_2_059F1B88

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe F19763B48B2D2CC92E61127DD0B29760A1C630F03AD7F5055FD1ED9C7D439428

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1004 -s 1052

Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

Static PE information: No import functions for PE file found

Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe, 00000000.00000002.2219149662.00000251D390B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe
Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe, 00000000.00000002.2210316682.00000251BB010000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameIyujotepoJ vs Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe
Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Binary or memory string: OriginalFilenameIrowiqagaxavenilewoxo: vs Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

Source: 4.2.InstallUtil.exe.40cd7a0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.InstallUtil.exe.40cd7a0.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.0.Microsofts.exe.7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.0.Microsofts.exe.7a0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.InstallUtil.exe.40e59d0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.InstallUtil.exe.40e59d0.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.InstallUtil.exe.40fdbf0.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.InstallUtil.exe.40fdbf0.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.InstallUtil.exe.40fdbf0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.InstallUtil.exe.40fdbf0.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.InstallUtil.exe.40e59d0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.InstallUtil.exe.40e59d0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.InstallUtil.exe.40cd7a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.InstallUtil.exe.40cd7a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000000.1965703472.00000000007A2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.1983203709.00000000040B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 1344, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Microsofts.exe PID: 3796, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

Static PE information: Section: .rsrc ZLIB complexity 0.9967188259970817

Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe.251cb227e40.2.raw.unpack, jftrreicfijphfebchxz.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe.251cb1fcbf8.3.raw.unpack, jftrreicfijphfebchxz.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Microsofts.exe.4.dr, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Microsofts.exe.4.dr, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@22/19@2/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Phoenix_Clipper_666
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1004

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q1sxixlh.xf4.ps1

Jump to behavior

Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Microsofts.exe, 0000000A.00000002.3193754650.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000002.3193754650.0000000002B7C000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000002.3193754650.0000000002B6E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe"
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1004 -s 1052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Users\user\AppData\Local\Temp\Microsofts.exe "C:\Users\user\AppData\Local\Temp\Microsofts.exe"
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 11:51 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Users\user\AppData\Local\Temp\Microsofts.exe "C:\Users\user\AppData\Local\Temp\Microsofts.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 11:51 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

Static file information: File size 5214208 > 1048576

Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x478600

Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.pdb@ source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: mscorlib.pdb source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdbRSDS source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.pdbP source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.Drawing.pdb source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdb source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.Core.pdb source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdb source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.pdb source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER2C3F.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdb source: WER2C3F.tmp.dmp.8.dr

Source: Trading_AIBot.exe.4.dr

Static PE information: 0xAA16B5AE [Fri Jun 4 22:50:22 2060 UTC]

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Code function: 0_2_00007FFD9A5283FD pushad ; iretd	0_2_00007FFD9A5283FF
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Code function: 0_2_00007FFD9A650000 push esp; retf 4810h	0_2_00007FFD9A650312
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_0293636D push eax; ret	11_2_02936361
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_081D7010 push esp; ret	11_2_081D7011
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_081D7D72 pushfd ; iretd	11_2_081D7D79
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 16_2_04B2F2F0 push eax; ret	16_2_04B2F2F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	File created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.log

Jump to behavior

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 11:51 /du 23:59 /sc daily /ri 1 /f

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe PID: 1004, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe, 00000000.00000002.2210904029.00000251BB4FE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe, 00000000.00000002.2210904029.00000251BB4FE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Memory allocated: 251B9720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Memory allocated: 251D31B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 30B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 1050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 2D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 4D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 6310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 2E310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Memory allocated: 28F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Memory allocated: 2A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Memory allocated: 4A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Memory allocated: 2600000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Memory allocated: 2600000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Memory allocated: 4600000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5805	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1535	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5583
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 538
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Window / User API: threadDelayed 1749

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7264	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7200	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5572	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe TID: 7188	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep count: 5583 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7476	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep count: 538 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7464	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe TID: 7936	Thread sleep time: -104940000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe TID: 7936	Thread sleep time: -60000s >= -30000s

Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Thread delayed: delay time: 60000

Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe, 00000000.00000002.2210904029.00000251BB4FE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe, 00000000.00000002.2210904029.00000251BB4FE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe, 00000000.00000002.2210904029.00000251BB4FE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe, 00000000.00000002.2210904029.00000251BB4FE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe, 00000000.00000002.2210904029.00000251BB4FE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe, 00000000.00000002.2210904029.00000251BB4FE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Microsofts.exe, 0000000A.00000002.3183533201.0000000000D53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.8.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe, 00000000.00000002.2210904029.00000251BB4FE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe, 00000000.00000002.2210904029.00000251BB4FE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe, 00000000.00000002.2219149662.00000251D38F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe, 00000000.00000002.2210904029.00000251BB4FE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe, 00000000.00000002.2210904029.00000251BB4FE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe, 00000000.00000002.2210904029.00000251BB4FE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe, 00000000.00000002.2210904029.00000251BB4FE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe

Code function: 10_2_02A4C168 LdrInitializeThunk,LdrInitializeThunk,

10_2_02A4C168

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Microsofts.exe.4.dr, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: Microsofts.exe.4.dr, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: Microsofts.exe.4.dr, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe" -Force
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe" -Force	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 42E000	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: D6F008	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Users\user\AppData\Local\Temp\Microsofts.exe "C:\Users\user\AppData\Local\Temp\Microsofts.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 11:51 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Queries volume information: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Microsofts.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables UAC (registry)

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 4.2.InstallUtil.exe.40cd7a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Microsofts.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40e59d0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40fdbf0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40fdbf0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40e59d0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40cd7a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.1965703472.00000000007A2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1983203709.00000000040B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsofts.exe PID: 3796, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 4.2.InstallUtil.exe.40cd7a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Microsofts.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40e59d0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40fdbf0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40fdbf0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40e59d0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40cd7a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.1965703472.00000000007A2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1983203709.00000000040B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsofts.exe PID: 3796, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 4.2.InstallUtil.exe.40cd7a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Microsofts.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40e59d0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40fdbf0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40fdbf0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40e59d0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40cd7a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3193754650.0000000002ADF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1965703472.00000000007A2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1983203709.00000000040B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3193754650.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsofts.exe PID: 3796, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 4.2.InstallUtil.exe.40cd7a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Microsofts.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40e59d0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40fdbf0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40fdbf0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40e59d0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40cd7a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.1965703472.00000000007A2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1983203709.00000000040B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsofts.exe PID: 3796, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 4.2.InstallUtil.exe.40cd7a0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Microsofts.exe.7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40e59d0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40fdbf0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40fdbf0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40e59d0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.40cd7a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.1965703472.00000000007A2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1983203709.00000000040B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsofts.exe PID: 3796, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	21 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	211 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	2 Obfuscated Files or Information	Security Account Manager	211 Security Software Discovery	SMB/Windows Admin Shares	1 Screen Capture	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Registry Run Keys / Startup Folder	1 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Email Collection	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	1 Input Capture	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	211 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	13%	ReversingLabs	Win64.Trojan.SnakeStealer
Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\Microsofts.exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\Microsofts.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Microsofts.exe	61%	ReversingLabs	ByteCode-MSIL.Infostealer.Mintluks
C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	79%	ReversingLabs	ByteCode-MSIL.Infostealer.ClipBanker

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	172.67.177.134	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 0000000B.00000002.2073622854.00000000057BD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000B.00000002.2055263861.00000000048A6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000B.00000002.2055263861.00000000048A6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000B.00000002.2055263861.00000000048A6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org34	Microsofts.exe, 0000000A.00000002.3193754650.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://reallyfreegeoip.orgd	Microsofts.exe, 0000000A.00000002.3193754650.0000000002B1B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 0000000B.00000002.2073622854.00000000057BD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 0000000B.00000002.2073622854.00000000057BD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	Microsofts.exe, 0000000A.00000002.3193754650.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000002.3193754650.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 0000000B.00000002.2055263861.00000000048A6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.1dZ	Microsofts.exe, 0000000A.00000002.3193754650.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189l	Microsofts.exe, 0000000A.00000002.3193754650.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.micro	powershell.exe, 0000000B.00000002.2080271571.0000000007D12000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	Microsofts.exe, 0000000A.00000002.3193754650.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/pscore6lB	powershell.exe, 0000000B.00000002.2055263861.0000000004751000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	InstallUtil.exe, 00000004.00000002.1983203709.00000000040B4000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000000.1965703472.00000000007A2000.00000002.00000001.01000000.0000000A.sdmp, Microsofts.exe.4.dr	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000B.00000002.2055263861.00000000048A6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 0000000B.00000002.2073622854.00000000057BD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 0000000B.00000002.2073622854.00000000057BD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	Microsofts.exe, 0000000A.00000002.3193754650.0000000002B1B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	Microsofts.exe, 0000000A.00000002.3193754650.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	Microsofts.exe, 0000000A.00000002.3193754650.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	Microsofts.exe, 0000000A.00000002.3193754650.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	Microsofts.exe, 0000000A.00000002.3193754650.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Microsofts.exe, 0000000A.00000002.3193754650.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2055263861.0000000004751000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	InstallUtil.exe, 00000004.00000002.1983203709.00000000040B4000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000000.1965703472.00000000007A2000.00000002.00000001.01000000.0000000A.sdmp, Microsofts.exe.4.dr	false	high
https://reallyfreegeoip.org/xml/	InstallUtil.exe, 00000004.00000002.1983203709.00000000040B4000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000002.3193754650.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 0000000A.00000000.1965703472.00000000007A2000.00000002.00000001.01000000.0000000A.sdmp, Microsofts.exe, 0000000A.00000002.3193754650.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe.4.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false
172.67.177.134	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579020
Start date and time:	2024-12-20 17:44:39 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@22/19@2/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 94% Number of executed functions: 153 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21, 20.12.23.50, 20.190.177.23, 13.107.246.63
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target InstallUtil.exe, PID 1344 because it is empty
Execution Graph export aborted for target Trading_AIBot.exe, PID 2800 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

Simulations

Behavior and APIs

Time	Type	Description
11:46:00	API Interceptor	55x Sleep call for process: powershell.exe modified
11:46:23	API Interceptor	1x Sleep call for process: WerFault.exe modified
11:46:38	API Interceptor	1757x Sleep call for process: apihost.exe modified
16:46:04	Task Scheduler	Run new task: AccSys path: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe
16:46:07	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
158.101.44.242	Statement_3029_from_Cross_Traders_and_Logistics_ltd.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Overheaped237.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PAYMENT ADVICE TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
172.67.177.134	YU SV Payment.exe	Get hash	malicious	MassLogger RAT	Browse
	PAYMENT ADVICE 750013-1012449943-81347-pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse
	pre-stowage.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	Statement_3029_from_Cross_Traders_and_Logistics_ltd.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	YU SV Payment.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	PURCHASE ORDER TRC-090971819130-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	PAYMENT ADVICE 750013-1012449943-81347-pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	Overheaped237.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
reallyfreegeoip.org	Statement_3029_from_Cross_Traders_and_Logistics_ltd.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	YU SV Payment.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PURCHASE ORDER TRC-090971819130-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	PAYMENT ADVICE 750013-1012449943-81347-pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	Overheaped237.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	0001.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	Statement_3029_from_Cross_Traders_and_Logistics_ltd.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	nshkarm.elf	Get hash	malicious	Mirai	Browse	140.238.15.102
	nshsh4.elf	Get hash	malicious	Mirai	Browse	140.238.98.44
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	YU SV Payment.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	la.bot.sparc.elf	Get hash	malicious	Mirai	Browse	168.138.95.8
	PAYMENT ADVICE 750013-1012449943-81347-pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	144.25.16.134
	Overheaped237.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, SystemBC, zgRAT	Browse	172.67.197.170
	Statement_3029_from_Cross_Traders_and_Logistics_ltd.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Fortexternal.exe	Get hash	malicious	Unknown	Browse	172.67.75.163
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.90.135
	Sentinelled.vbs	Get hash	malicious	Unknown	Browse	104.21.86.72
	nshkarm.elf	Get hash	malicious	Mirai	Browse	104.25.87.101
	hBBxlxfQ3F.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.197.170
	gf3yK6i4OX.exe	Get hash	malicious	LummaC	Browse	104.21.21.99
	0WO49yZcDA.exe	Get hash	malicious	LummaC	Browse	104.21.21.99
	uDTW3VjJJT.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.21.99

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Statement_3029_from_Cross_Traders_and_Logistics_ltd.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Browser.Daemon.exe	Get hash	malicious	Unknown	Browse	172.67.177.134
	Browser.Daemon.exe	Get hash	malicious	Unknown	Browse	172.67.177.134
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	YU SV Payment.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PURCHASE ORDER TRC-090971819130-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	PAYMENT ADVICE 750013-1012449943-81347-pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	Overheaped237.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	F7Xu8bRnXT.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	PO #09465610_GQ 003745_SO-242000846.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Ziraat_Bankasi_S_d0689f373fee26512ceb5c5541da33c5d5750_5a9513ef_e6184385-f165-4f2e-80ac-ac0e77459ee6\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1859547384639197
Encrypted:	false
SSDEEP:	192:mpRoTk6Zt50UnUVaWB2xQE6TdzuiFxZ24lO8YRq:GRoTkcgUnUVam2ChzuiFxY4lO8YRq
MD5:	518498AD5DFE91C339D0DD5986AF3A7A
SHA1:	30D6E77DB37F2220B2E96AF2B91781C8FE18DB96
SHA-256:	1EE8CAAA48925FC6E75C0040B3B0A49638DA8CC9BDA7CAB4F0B56D68C6C5E451
SHA-512:	DCB64390A073B5F06310821F70DA9563F734B166038827285C227E1A16E03442740657CE0F392465D42E66699489085D046AEDDE578403154FF11F67854392E1
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.1.8.6.7.5.9.6.0.7.4.9.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.1.8.6.7.6.1.2.9.4.9.9.6.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.6.1.8.4.3.8.5.-.f.1.6.5.-.4.f.2.e.-.8.0.a.c.-.a.c.0.e.7.7.4.5.9.e.e.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.e.8.0.3.7.0.1.-.c.f.3.c.-.4.f.5.0.-.b.a.3.e.-.6.b.c.4.7.a.4.e.8.6.0.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.Z.i.r.a.a.t._.B.a.n.k.a.s.i._.S.w.i.f.t._.M.e.s.a.j.i._.T.X.B.0.4.9.5.8.T...s.c.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.r.o.w.i.q.a.g.a.x.a.v.e.n.i.l.e.w.o.x.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.3.e.c.-.0.0.0.1.-.0.0.1.4.-.7.7.3.9.-.9.2.a.3.f.e.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.5.0.e.d.8.1.4.d.b.6.5.8.b.2.9.8.d.5.7.c.d.4.e.8.9.6.d.f.5.9.d.0.0.0.0.0.0.0.0.!.0.0.0.0.c.d.0.0.7.0.8.4.6.8.a.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C3F.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Fri Dec 20 16:46:00 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	482914
Entropy (8bit):	3.1836056289931594
Encrypted:	false
SSDEEP:	3072:t659eNMSiMo94wmOswZI4alWUu/OcScFYZvwus1CCqCT3+vt:t6/N8csLK2NwVqCT3Q
MD5:	2775DF4B250FA92F3E0ECCF495F8737D
SHA1:	13B400935E218E3C0311742EA2D96A72705B85ED
SHA-256:	E61D61B8B9E4689AC754C7C2BB0D561D79358B42BDBC568AEF4DB1D35392905E
SHA-512:	EE77B78B2B588B651F9581171C7441D3221B63E7F5E32B381AA280340BB9DEE292AF1B29823123A5BD43524A4D9F3E7EFFDA69F0A24C0BB92C713462995002D0
Malicious:	false
Preview:	MDMP..a..... .......H.eg............t...........p...........$....%...... ...(%.......L.............l.......8...........T............8..b&..........HC..........4E..............................................................................eJ.......E......Lw......................T...........C.eg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3009.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8928
Entropy (8bit):	3.7178527649964055
Encrypted:	false
SSDEEP:	192:R6l7wVeJMaAMLPD9o6Y9umPYNzgmfI6J0prg89bCjhfR2m:R6lXJMmLbi6YlYzgmfIiMClfp
MD5:	692D93CDF6D9096D859B53321E317241
SHA1:	215AD126990D3943ABABE8C1FF856BBADAA1AE4D
SHA-256:	EFE558CB3F469E4A2C3407635C61217FC6616B668B398B7588588EEBF900635A
SHA-512:	1F8CC30FCB4F19B713DC371F9C2A1C37286AB28A43593EC707702559A2C4A23E00526CD9C8850DF82CDA6312632CC3571D2F534E2BDA5D195B178DA753BD75B9
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.0.0.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3113.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4928
Entropy (8bit):	4.597390027558798
Encrypted:	false
SSDEEP:	48:cvIwWl8zs+Jg771I9gDWpW8VYEYm8M4JeAF5Pyq85DghnWTK1zz1Qd:uIjf0I73y7VoJjVWTczhQd
MD5:	1E661A6BEB692B366EDA790B4ED4E1F8
SHA1:	B96CAE40CBC8FD30C8D624B4535104796EA9D4F0
SHA-256:	3EAA44E1D1C545A5E6CC07030C0EB6013A721B39DB944740FD2B2AA26F29EC4B
SHA-512:	C3C52CE132688703807B823B73FD29066E7EE52F30B1D191375EFFDBF93132F67FD163C9E48C0B3FDA167EDA710BC3A37159D651C084A939F8AC8ACE9EE3708C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="639828" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379460230152629
Encrypted:	false
SSDEEP:	48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeoPUyus:fLHyIFKL3IZ2KRH9OugYs
MD5:	046745B14D061B6E178B71722C97B95D
SHA1:	2FBB516625B3C7390120BDFE48D7D7528425BBDF
SHA-256:	168CA4AE0871B8F96DB2F547CAD7BF740DD4DB6691CECB466A04B6FC27971810
SHA-512:	5FF76CFBDDA5E711D0B2A58AD247A77B589170FDC55D95E5B74D448EC4AD2A634538721F3C2E4CB8F116376624AEDDBF744169648E0A0C354BBC11444AA809ED
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\Microsofts.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	98816
Entropy (8bit):	5.666546286050177
Encrypted:	false
SSDEEP:	1536:qwa4JaIFveZKGAmwJVeDhp0dqnjErVf4UMR7pspNYZd:24Jj4ZKGHwJVeDDKqnj6bMDspNC
MD5:	F6B8018A27BCDBAA35778849B586D31B
SHA1:	81BDE9535B07E103F89F6AEABDB873D7E35816C2
SHA-256:	DDC6B2BD4382D1AE45BEE8F3C4BB19BD20933A55BDF5C2E76C8D6C46BC1516CE
SHA-512:	AA958D22952D27BAD1C0D3C9D08DDBF364274363D5359791B7B06A5D5D91A21F57E9C9E1079F3F95D7CE5828DCD3E79914FF2BD836F347B5734151D668D935DE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 61%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nH...............P..x............... ........@.. ....................................`.....................................S.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B........................H...................Z....................................................}.....is.......................~...F...@...7...%...m...$...~...~...d...r...a...G...o...n...~.....(....&..( .....s!........s"........s#........s$........s%........Z........o8...........&..(9....&........".......Vs....(B...t...........(C..."~....+."~....+."~....+."~....+."~....+.b.r...p.oa...(....(@....:.~.....o....&.:.(P....(Q......~3...,.~3...+.~1.....x...s....%.3...(.....*..(Y....(L...

C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	4.910353963160109
Encrypted:	false
SSDEEP:	1536:ZPqWETbZazuYx3cOBB03Cmp3gGLWUTbUwjKX4C2b+d:ZizbZazunOKrp3gGhTbUwjI4C2Sd
MD5:	E91A1DB64F5262A633465A0AAFF7A0B0
SHA1:	396E954077D21E94B7C20F7AFA22A76C0ED522D0
SHA-256:	F19763B48B2D2CC92E61127DD0B29760A1C630F03AD7F5055FD1ED9C7D439428
SHA-512:	227D7DAD569D77EF84326E905B7726C722CEFF331246DE4F5CF84428B9721F8B2732A31401DF6A8CEF7513BCD693417D74CDD65D54E43C710D44D1726F14B0C5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Joe Sandbox View:	Filename: C6dAUcOA6M.exe, Detection: malicious, Browse Filename: F7Xu8bRnXT.exe, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe, Detection: malicious, Browse Filename: PO #09465610_GQ 003745_SO-242000846.exe, Detection: malicious, Browse Filename: IBKB.vbs, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............n)... ...@....@.. ....................................`..................................)..W....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3mbxkor0.xjt.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ewehvka.qzs.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b54phctl.54v.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dixrrxdz.ii0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gb1olff4.v34.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q1sxixlh.xf4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_unq23gix.c4c.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xdvyfzo2.v3o.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\ACCApi\apihost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	665670656
Entropy (8bit):	7.999999303728775
Encrypted:	true
SSDEEP:
MD5:	7E1AF0EA4EF8E299AA3EE3FB4837AEBF
SHA1:	47D111174851003A2E614DFF974E7B80D8CFE462
SHA-256:	63AFA2D73898B0862C25BFE947FFCECE3C876CFB251AA5C1EF7738C0D4F060F7
SHA-512:	BE39A087608AFF94F113CCE4DDF1745582660481B27D80B5674CBAEFC954BB301A19E10DEA99C89E08FEC7557A7406E00E037D807D97A452EFF08AF0537CA0D7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............n)... ...@....@.. ....................................`..................................)..W....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
File Type:	MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=
Category:	dropped
Size (bytes):	1814
Entropy (8bit):	2.4077982732154424
Encrypted:	false
SSDEEP:	12:8rsXowAOcQ/tz0/CSL4WWeMNDyWlT9gRKQ17+AUvO4Zv7L1Q17+ANTCNfBT/v4tK:8ILDWLqeMNmG9g9R+O4ZvPqRgpdqy
MD5:	0AA0FF9E058C3DE507C59168AE9CFD3D
SHA1:	CB8097303EAB96960C2B79ACDD235D24B48149F4
SHA-256:	5AA15DE045A571F79B2F70D1A91AAA79BD09E62508814B664DAAAE58201C8BEC
SHA-512:	CB7A0659691835C412D17E49630CC2077BC8660DB2C93E393A1660C35ABF18E1B34FC24B7434EAB303B13634E6675DCC169F1112A5A4030B2AF6066DE5726762
Malicious:	false
Preview:	L..................F.@......................................................1....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....T.1...........ACCApi..>............................................A.C.C.A.p.i.....b.2...........apihost.exe.H............................................a.p.i.h.o.s.t...e.x.e.........A.c.c.S.y.s.!.....\.....\.....\.....\.....\.A.C.C.A.p.i.\.a.p.i.h.o.s.t...e.x.e.3.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.T.r.a.d.i.n.g._.A.I.B.o.t...e.x.e.........%USERPROFILE%\AppData\Local\Temp\Trading_AIBot.exe.....................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466283969854828
Encrypted:	false
SSDEEP:	6144:PIXfpi67eLPU9skLmb0b47WSPKaJG8nAgejZMMhA2gX4WABl0uNTdwBCswSb+:gXD947WlLZMM6YFH1++
MD5:	9188BB9F0DA68B1B455B9290B4E2503C
SHA1:	A840A2C6D41B0E73C7D2856B9E19B0832BD479F1
SHA-256:	DD2C6617A8E6361DC15BC4E9D52C45911169FCE5549049A33FD14DCD8423DA8E
SHA-512:	F8525D36D7D9BDE8DB7C8DDE2433198268B84F0CD80C001FE649D3657F214A52987B28100DADF36CEEBF3E07B3054B70E23C4F32AF29AC25D77B50B1872C63B8
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmn...R..............................................................................................................................................................................................................................................................................................................................................6..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.537403542408265
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe
File size:	5'214'208 bytes
MD5:	346f96d373a4724cef30348c4cd4c3a3
SHA1:	cd00708468a02533b41f6d4d54fabfd5ce6b22cc
SHA256:	7652d55f845a4914f76058c418df4da0c65f7df5f0febb2aded459ae0b75be61
SHA512:	be1dc8f8655e478c9640090ee5d267492a6ec5b9649a7221b2dcd8d270b7559a455e43cb2c0e72b24e972dcd11f32be8e95c62384468a520eb9ee7618d5fcaf7
SSDEEP:	49152:L4LkSwje93SlF2b/Rp54kwt8i/z/FDyV/zT0jBMYlfINMyIDQm5YCJf1iUIF8I29:L4YSwjUhIGs5q++Xf7yCxQwza5Dp
TLSH:	8B365BD493F8530DE07E867159F068D949DEB01A26A7D39EF6C204BB0662FC12685EF3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..../dg.........."...0...G.............. ....@...... ........................O...........`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67642F1D [Thu Dec 19 14:35:09 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47c000	0x80754	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x47a558	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4785cf	0x478600	02392ba70efc6c860908e9370a3ef212	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x47c000	0x80754	0x80800	7f60ae22b7f218f34d0f9d1fedbd6bbb	False	0.9967188259970817	data	7.9985180059109195	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PROTECTEDBYOMNIP0TENT	0x47c2f0	0x180	data			1.0286458333333333
PROTECTEDBYOMNIP0TENT	0x47c470	0x10	data			1.5625
PROTECTEDBYOMNIP0TENT	0x47c480	0x10	data			1.5
PROTECTEDBYOMNIP0TENT	0x47c490	0x10	data			1.5625
PROTECTEDBYOMNIP0TENT	0x47c4a0	0x7fa10	data			1.0003175404768463
PROTECTEDBYOMNIP0TENT	0x4fbeb0	0x20	data			1.34375
RT_VERSION	0x4fbed0	0x34c	data			0.5035545023696683
RT_VERSION	0x4fc21c	0x34c	data	English	United States	0.5059241706161137
RT_MANIFEST	0x4fc568	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-20T17:46:04.987142+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49736	158.101.44.242	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 17:46:00.913161039 CET	49736	80	192.168.2.4	158.101.44.242
Dec 20, 2024 17:46:01.033016920 CET	80	49736	158.101.44.242	192.168.2.4
Dec 20, 2024 17:46:01.033119917 CET	49736	80	192.168.2.4	158.101.44.242
Dec 20, 2024 17:46:01.033514977 CET	49736	80	192.168.2.4	158.101.44.242
Dec 20, 2024 17:46:01.153363943 CET	80	49736	158.101.44.242	192.168.2.4
Dec 20, 2024 17:46:02.287523031 CET	80	49736	158.101.44.242	192.168.2.4
Dec 20, 2024 17:46:02.293216944 CET	49736	80	192.168.2.4	158.101.44.242
Dec 20, 2024 17:46:02.413292885 CET	80	49736	158.101.44.242	192.168.2.4
Dec 20, 2024 17:46:04.884562969 CET	80	49736	158.101.44.242	192.168.2.4
Dec 20, 2024 17:46:04.987142086 CET	49736	80	192.168.2.4	158.101.44.242
Dec 20, 2024 17:46:05.034838915 CET	49738	443	192.168.2.4	172.67.177.134
Dec 20, 2024 17:46:05.034883976 CET	443	49738	172.67.177.134	192.168.2.4
Dec 20, 2024 17:46:05.034941912 CET	49738	443	192.168.2.4	172.67.177.134
Dec 20, 2024 17:46:05.044864893 CET	49738	443	192.168.2.4	172.67.177.134
Dec 20, 2024 17:46:05.044884920 CET	443	49738	172.67.177.134	192.168.2.4
Dec 20, 2024 17:46:06.273823023 CET	443	49738	172.67.177.134	192.168.2.4
Dec 20, 2024 17:46:06.273946047 CET	49738	443	192.168.2.4	172.67.177.134
Dec 20, 2024 17:46:06.299333096 CET	49738	443	192.168.2.4	172.67.177.134
Dec 20, 2024 17:46:06.299379110 CET	443	49738	172.67.177.134	192.168.2.4
Dec 20, 2024 17:46:06.299885988 CET	443	49738	172.67.177.134	192.168.2.4
Dec 20, 2024 17:46:06.393383980 CET	49738	443	192.168.2.4	172.67.177.134
Dec 20, 2024 17:46:06.503010035 CET	49738	443	192.168.2.4	172.67.177.134
Dec 20, 2024 17:46:06.547343016 CET	443	49738	172.67.177.134	192.168.2.4
Dec 20, 2024 17:46:06.873002052 CET	443	49738	172.67.177.134	192.168.2.4
Dec 20, 2024 17:46:06.873086929 CET	443	49738	172.67.177.134	192.168.2.4
Dec 20, 2024 17:46:06.873143911 CET	49738	443	192.168.2.4	172.67.177.134
Dec 20, 2024 17:46:06.880297899 CET	49738	443	192.168.2.4	172.67.177.134
Dec 20, 2024 17:47:09.884227037 CET	80	49736	158.101.44.242	192.168.2.4
Dec 20, 2024 17:47:09.886389017 CET	49736	80	192.168.2.4	158.101.44.242
Dec 20, 2024 17:47:44.893676996 CET	49736	80	192.168.2.4	158.101.44.242
Dec 20, 2024 17:47:45.013322115 CET	80	49736	158.101.44.242	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 17:46:00.722162008 CET	53614	53	192.168.2.4	1.1.1.1
Dec 20, 2024 17:46:00.860245943 CET	53	53614	1.1.1.1	192.168.2.4
Dec 20, 2024 17:46:04.894599915 CET	63530	53	192.168.2.4	1.1.1.1
Dec 20, 2024 17:46:05.033879042 CET	53	63530	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 20, 2024 17:46:00.722162008 CET	192.168.2.4	1.1.1.1	0xb1c8	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 20, 2024 17:46:04.894599915 CET	192.168.2.4	1.1.1.1	0x243c	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 20, 2024 17:46:00.860245943 CET	1.1.1.1	192.168.2.4	0xb1c8	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 20, 2024 17:46:00.860245943 CET	1.1.1.1	192.168.2.4	0xb1c8	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 20, 2024 17:46:00.860245943 CET	1.1.1.1	192.168.2.4	0xb1c8	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 20, 2024 17:46:00.860245943 CET	1.1.1.1	192.168.2.4	0xb1c8	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 20, 2024 17:46:00.860245943 CET	1.1.1.1	192.168.2.4	0xb1c8	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 20, 2024 17:46:00.860245943 CET	1.1.1.1	192.168.2.4	0xb1c8	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 20, 2024 17:46:05.033879042 CET	1.1.1.1	192.168.2.4	0x243c	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 20, 2024 17:46:05.033879042 CET	1.1.1.1	192.168.2.4	0x243c	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	158.101.44.242	80	3796	C:\Users\user\AppData\Local\Temp\Microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 17:46:01.033514977 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 20, 2024 17:46:02.287523031 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 16:46:02 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 97367ac5a0383be899111e73ef3ca257 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 20, 2024 17:46:02.293216944 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 20, 2024 17:46:04.884562969 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 16:46:04 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c78a58f91c09a727e3661875a3941649 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	172.67.177.134	443	3796	C:\Users\user\AppData\Local\Temp\Microsofts.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-20 16:46:06 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-20 16:46:06 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 16:46:06 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 27955 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CFAU0J9M6Tgry%2FunU6H3XKU4CJZ6e10QApc3U5BcDqmEbeeAR5WzDcU%2F8r6pPcUOVJT3XKZiXtHXGKuzOJhVVYeFOWN3Utza7KLBUviOe8dwwhccIGcmHwXIBEdKLGFW3C0ZoRJ%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f511b4bbfc442a5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1933&min_rtt=1760&rtt_var=783&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1659090&cwnd=229&unsent_bytes=0&cid=fb84aee380ee6ae7&ts=593&x=0"
2024-12-20 16:46:06 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	11:45:55
Start date:	20/12/2024
Path:	C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe"
Imagebase:	0x251b8f00000
File size:	5'214'208 bytes
MD5 hash:	346F96D373A4724CEF30348C4CD4C3A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2210904029.00000251BB4FE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:45:58
Start date:	20/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe" -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:45:58
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:45:58
Start date:	20/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Imagebase:	0xbe0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000004.00000002.1983203709.00000000040B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1983203709.00000000040B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.1983203709.00000000040B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.1983203709.00000000040B4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:45:58
Start date:	20/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Imagebase:
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	11:45:59
Start date:	20/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 1004 -s 1052
Imagebase:	0x7ff6a5290000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:45:59
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
Imagebase:	0x9f0000
File size:	70'656 bytes
MD5 hash:	E91A1DB64F5262A633465A0AAFF7A0B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:45:59
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Microsofts.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Microsofts.exe"
Imagebase:	0x7a0000
File size:	98'816 bytes
MD5 hash:	F6B8018A27BCDBAA35778849B586D31B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.3193754650.0000000002ADF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000A.00000000.1965703472.00000000007A2000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000000.1965703472.00000000007A2000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000000.1965703472.00000000007A2000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000A.00000000.1965703472.00000000007A2000.00000002.00000001.01000000.0000000A.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.3193754650.0000000002BA3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 61%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	11:46:01
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Imagebase:	0x770000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:46:01
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 11:51 /du 23:59 /sc daily /ri 1 /f
Imagebase:	0x9b0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:46:01
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:46:01
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:46:05
Start date:	20/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:46:36
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\apihost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
Imagebase:	0x390000
File size:	665'670'656 bytes
MD5 hash:	7E1AF0EA4EF8E299AA3EE3FB4837AEBF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9A521855 Relevance: 2.4, Instructions: 2366
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2221695478.00007FFD9A510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a510000_Ziraat_Bankasi_Swift_Mesaji_TXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782cba640d36a2f9d771c6d4fc80440163609c2fc75b3f272104120118c2ac81
Instruction ID: 729f85f84b11b569e85503d0a70fc0c9ec42fce41a04b41aea37e164e50a6982
Opcode Fuzzy Hash: 782cba640d36a2f9d771c6d4fc80440163609c2fc75b3f272104120118c2ac81
Instruction Fuzzy Hash: 66F2273170CB854FD7AEDB2884914B977E1FF96301B1445BED88AC72A6DE24E846C781

Function 00007FFD9A517680 Relevance: 2.4, Strings: 1, Instructions: 1108COMMON

Download Yara Rule

Strings

?V_H, xrefs: 00007FFD9A52E4D3

Memory Dump Source

Source File: 00000000.00000002.2221695478.00007FFD9A510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a510000_Ziraat_Bankasi_Swift_Mesaji_TXB04958T.jbxd

Similarity

API ID:
String ID: ?V_H
API String ID: 0-2753162704
Opcode ID: 41b989298637d1271f28ea55250df3d115955fcd856a8674492d55a057e40b93
Instruction ID: 9760231fa404c4320ca7928299757174d3034e583e81be9d4e0bd9b7320c19a1
Opcode Fuzzy Hash: 41b989298637d1271f28ea55250df3d115955fcd856a8674492d55a057e40b93
Instruction Fuzzy Hash: DF821733B0C6464FE7BE8B5484616B87BD1EF96314F1481FDD88A8B5D3DA28B846C781

Function 00007FFD9A650000 Relevance: 2.2, Instructions: 2174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2223138647.00007FFD9A650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a650000_Ziraat_Bankasi_Swift_Mesaji_TXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45fe8e87b45bc212ba108b3b647dc8f13286e1b59eb2314453f71aafcfda4013
Instruction ID: d7eb150ac77aedd35e7c875152a5191abf06a35670aeda18aa0fa0c269767f83
Opcode Fuzzy Hash: 45fe8e87b45bc212ba108b3b647dc8f13286e1b59eb2314453f71aafcfda4013
Instruction Fuzzy Hash: ACE24C73A0DBC64FE76ADBA888755A47BE0EF56700F0901FED499CB1D3DA28A805C741

Function 00007FFD9A516110 Relevance: 2.0, Strings: 1, Instructions: 717
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00007FFD9A517E4F

Memory Dump Source

Source File: 00000000.00000002.2221695478.00007FFD9A510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a510000_Ziraat_Bankasi_Swift_Mesaji_TXB04958T.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: a3e555d89584235bdf96fe9c9febd50b9f540b6c31cbb1ca04346d5e34af16a0
Instruction ID: 060b55e65afbfc5d28f594e49f3e3512192882bdebba32a435bb79d1d89869c2
Opcode Fuzzy Hash: a3e555d89584235bdf96fe9c9febd50b9f540b6c31cbb1ca04346d5e34af16a0
Instruction Fuzzy Hash: CB225732B1CA494FE7AEDF6C88A197177D0EF46314B1445F9D49EC31ABDE28E8428781

Function 00007FFD9A517688 Relevance: 1.8, Strings: 1, Instructions: 521
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fish, xrefs: 00007FFD9A517750

Memory Dump Source

Source File: 00000000.00000002.2221695478.00007FFD9A510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a510000_Ziraat_Bankasi_Swift_Mesaji_TXB04958T.jbxd

Similarity

API ID:
String ID: fish
API String ID: 0-1064584243
Opcode ID: d9e0aaf8a271e363d28ed88f2a60b56656b31643de2c0ae8063beb73587ac471
Instruction ID: f3a8b64d19d3f92ac7dbee17d451bd34ec0258803ac21e0a454b42b4607304a0
Opcode Fuzzy Hash: d9e0aaf8a271e363d28ed88f2a60b56656b31643de2c0ae8063beb73587ac471
Instruction Fuzzy Hash: 83E14B32B1CA8A0FE75DAB7C98755B977D1EF96310B0441BEE48AC31E7DD19E8028781

Function 00007FFD9A5234BE Relevance: 1.0, Instructions: 984COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2221695478.00007FFD9A510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a510000_Ziraat_Bankasi_Swift_Mesaji_TXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e68cff58e1134bee4bcd6b1b70c45d74f1c16cd1af53b3662237dddbcd04e29
Instruction ID: 86a198e31befceb504c499f4b7188eca9287efa01f42fb02f46dd69b23c56d7e
Opcode Fuzzy Hash: 9e68cff58e1134bee4bcd6b1b70c45d74f1c16cd1af53b3662237dddbcd04e29
Instruction Fuzzy Hash: B362173171CA494FE3AEDB28C4A45B977E1FF95320B1445BED48AC7296DE38E842C781

Function 00007FFD9A51C310 Relevance: .9, Instructions: 926
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2221695478.00007FFD9A510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a510000_Ziraat_Bankasi_Swift_Mesaji_TXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f963968303a0643c0b6162c7e41e15c210b230e29270908fdf4223733446fb92
Instruction ID: 1792770138e9ccf4f7f6c816cc164a60dedbf26ef380353d17fc7dedf5a35559
Opcode Fuzzy Hash: f963968303a0643c0b6162c7e41e15c210b230e29270908fdf4223733446fb92
Instruction Fuzzy Hash: 6352B631B09A094FDBADEB68D465A7977E1FF59301F1401BDE48EC7292DE24EC428B81

Function 00007FFD9A51E764 Relevance: .8, Instructions: 832COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2221695478.00007FFD9A510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a510000_Ziraat_Bankasi_Swift_Mesaji_TXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091ec726aefaa8eb27c14e6883967faa668c39b7ac8cc60b0b07bad020acafed
Instruction ID: cc6901704b6c9a90e639e4d64a371f2cda5e2c547d6f61f3026757349440c92b
Opcode Fuzzy Hash: 091ec726aefaa8eb27c14e6883967faa668c39b7ac8cc60b0b07bad020acafed
Instruction Fuzzy Hash: F7329E32B0CB464FE3AEDB68846107577D1EF96305B1485FED89AC32A6DD29E843C381

Function 00007FFD9A51EFD0 Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2221695478.00007FFD9A510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a510000_Ziraat_Bankasi_Swift_Mesaji_TXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06c11032c53c32fad30bbd12e050fb3eb964908db7dac44822740ae440dc0b3
Instruction ID: 3bf61d0ddc74beff5c8b9eb6e452108d987f97111c8df41875c465a579724e73
Opcode Fuzzy Hash: d06c11032c53c32fad30bbd12e050fb3eb964908db7dac44822740ae440dc0b3
Instruction Fuzzy Hash: FBD1373270CB864FE36ECB6884A517577E2FFD5301B1446BED4D6C32A5DA28E446C781

Function 00007FFD9A513EC3 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2221695478.00007FFD9A510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a510000_Ziraat_Bankasi_Swift_Mesaji_TXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9167f140f85bc6971abc084dc94459b3dfb34a14fd1af7f07732c2b21ca6819
Instruction ID: 27a959a8faa0e083f1fb9bb8cbfb4213382ba9f151e5d7481c3b0b5382763b66
Opcode Fuzzy Hash: c9167f140f85bc6971abc084dc94459b3dfb34a14fd1af7f07732c2b21ca6819
Instruction Fuzzy Hash: FCC1A171B186058FE3AEDE64C065179B7E1EF86304F6454BEE09E87192DA39EC83CB41

Function 00007FFD9A527C75 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2221695478.00007FFD9A510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a510000_Ziraat_Bankasi_Swift_Mesaji_TXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a915c37c72f09dce753ece87262ae7c6e5039291a448502f54fe2ad2988d7d63
Instruction ID: 3858004959acf85c30698437ed82d5e55a020d9fdb82c03a65cd63be877ffb14
Opcode Fuzzy Hash: a915c37c72f09dce753ece87262ae7c6e5039291a448502f54fe2ad2988d7d63
Instruction Fuzzy Hash: 3B414972B0C7890FD71E9A788C261B53BA5DB83320B1582BFD487C71E7DD18684683D2

Function 00007FFD9A527CD8 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2221695478.00007FFD9A510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a510000_Ziraat_Bankasi_Swift_Mesaji_TXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a4820509d939412c7ad22dbd60cad898475e6f04166c5260891d7fc265615c0
Instruction ID: d6bdef497337e28ee9f583d79b531f35fcc279c591b97966a4e339761a36b5f3
Opcode Fuzzy Hash: 5a4820509d939412c7ad22dbd60cad898475e6f04166c5260891d7fc265615c0
Instruction Fuzzy Hash: 63413731B0C7890FD71F9E7888255B53BA5EB83310B1682BFD48BC71E7DD5858468392

Function 00007FFD9A51C779 Relevance: 1.7, APIs: 1, Instructions: 168
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD9A52B6E1

Memory Dump Source

Source File: 00000000.00000002.2221695478.00007FFD9A510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a510000_Ziraat_Bankasi_Swift_Mesaji_TXB04958T.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b448becc542bf797582c244d22b81893aa846353c0576af01c4afc684b651c4c
Instruction ID: 742cd490e6e60968a7af59d8a4bef25186525444a7ac5f293ca97e19280515b0
Opcode Fuzzy Hash: b448becc542bf797582c244d22b81893aa846353c0576af01c4afc684b651c4c
Instruction Fuzzy Hash: 69414832B0C6494FE719EBAC98696F97BF0EF96321F0401BFD059C3193DA286446C791

Function 00007FFD9A6510C9 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2223138647.00007FFD9A650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a650000_Ziraat_Bankasi_Swift_Mesaji_TXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f869695e9cc706a0acb5a30f1596d4c818dc32ca0aba761c30770cd649b416f5
Instruction ID: 6b8da8e621c4c5f26c1531c7528f7b0646fa7467084a5d007f87a46e940bbc07
Opcode Fuzzy Hash: f869695e9cc706a0acb5a30f1596d4c818dc32ca0aba761c30770cd649b416f5
Instruction Fuzzy Hash: 05710632A0CE894FDB6AEBA8C8755A57BE1EF56700F0500FAD45AC71D3DA28A841C381

Function 00007FFD9A651210 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2223138647.00007FFD9A650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a650000_Ziraat_Bankasi_Swift_Mesaji_TXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975653f37b63c58ea9460c578ce5adcec573a43cf7ac574db2421434e0917d41
Instruction ID: c32483140c79ebc6f6dedec9757e5a040cb24822176247eefa914a62492023a8
Opcode Fuzzy Hash: 975653f37b63c58ea9460c578ce5adcec573a43cf7ac574db2421434e0917d41
Instruction Fuzzy Hash: 3C319132A08E4D8BDFA8EF98C8A54B877E1FF64700B1405BAD46AD7595DF25B881C780

Function 00007FFD9A650A04 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2223138647.00007FFD9A650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a650000_Ziraat_Bankasi_Swift_Mesaji_TXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdec6ce822617d173a9976caa64fbf5d3603c739a0a9fb6c776f5792d302444
Instruction ID: d8b4558284d8e84a23cc86f4ed54dd2b5b3619328e81f3023bc2b42bdafaa729
Opcode Fuzzy Hash: 4bdec6ce822617d173a9976caa64fbf5d3603c739a0a9fb6c776f5792d302444
Instruction Fuzzy Hash: 81E0E531A046298ADB65DB48CC81BE9B3B1FB85310F0041E5D54DA3251CA306A848B82

Non-executed Functions

Function 00007FFD9A52A0AD Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

K&S, xrefs: 00007FFD9A52A0CA

Memory Dump Source

Source File: 00000000.00000002.2221695478.00007FFD9A510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a510000_Ziraat_Bankasi_Swift_Mesaji_TXB04958T.jbxd

Similarity

API ID:
String ID: K&S
API String ID: 0-2043394384
Opcode ID: da99058447e49e410cfb5c99d1e60ad45356073be40e618f35eb79001b550a73
Instruction ID: 308bf0900056923010509bf8526901e407a8cf5edb7364390d88547bc5ba2ead
Opcode Fuzzy Hash: da99058447e49e410cfb5c99d1e60ad45356073be40e618f35eb79001b550a73
Instruction Fuzzy Hash: 1F41022270C2860FD31FAA7888664B67FA5DB5332471982FFD9C7C71E7E918A8078751

Function 00007FFD9A510B40 Relevance: 1.2, Instructions: 1198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2221695478.00007FFD9A510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a510000_Ziraat_Bankasi_Swift_Mesaji_TXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f2f4e228d7d709d9c43dfd17fdbf01bfc7a11ae8347b0979a251e33039d411
Instruction ID: 8d1d7feff82c324207b6a6fdba6b09ed048ec6a2030d4527b51fdff8c556e012
Opcode Fuzzy Hash: 73f2f4e228d7d709d9c43dfd17fdbf01bfc7a11ae8347b0979a251e33039d411
Instruction Fuzzy Hash: D472D271A5C7094BD32D9E488482635B3E1FB86700F645ABDDEEB53642DA34FC2386C6

Function 00007FFD9A513AFF Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2221695478.00007FFD9A510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a510000_Ziraat_Bankasi_Swift_Mesaji_TXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9814f683d6d68a6b5a3808c9847b4b482433a4c2f8d8ad0e88906d5c0526f41b
Instruction ID: 4476e623aca744851b9d3957b4d4c1311081e06356e6724c495b06209d59d827
Opcode Fuzzy Hash: 9814f683d6d68a6b5a3808c9847b4b482433a4c2f8d8ad0e88906d5c0526f41b
Instruction Fuzzy Hash: CEF1BF71B182158FE3AEDE98C455179B7E1EF87305F2484BDD09E87192DA39E883CB81

Function 00007FFD9A5157A4 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2221695478.00007FFD9A510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a510000_Ziraat_Bankasi_Swift_Mesaji_TXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a5abf0bdbb5f6c5175489d9304a2398a8e1b4655538dda62a98137fa4746534
Instruction ID: 5e4440c5d0d2adec491d137311b66caed5863a895ecfc0addb95fc34558afdd5
Opcode Fuzzy Hash: 8a5abf0bdbb5f6c5175489d9304a2398a8e1b4655538dda62a98137fa4746534
Instruction Fuzzy Hash: ADC16731A1DAD50FE32E5B7848A19B5BBF1DF4631072846FDC4DBA749BC828E8538784

Function 00007FFD9A527549 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2221695478.00007FFD9A510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9A510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9a510000_Ziraat_Bankasi_Swift_Mesaji_TXB04958T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c21b2322506f25d131fcec71bb4f98423e86aec1e8dd10b8a13efa67a51f53a
Instruction ID: 7e2058b052f801b4ad1d1fb63837662f8a0e983e5784096cd3aec123fb08a3ef
Opcode Fuzzy Hash: 0c21b2322506f25d131fcec71bb4f98423e86aec1e8dd10b8a13efa67a51f53a
Instruction Fuzzy Hash: 8D511432A0D7954FD31F8A784C664A27FE5DB83320B0A82FFC486CB1A7E4585847C3A1

Analysis Process: InstallUtil.exePID: 1344, Parent PID: 1004COMMON

Executed Functions

Function 03050540 Relevance: 3.0, Strings: 2, Instructions: 530COMMON

Download Yara Rule

Strings

8bq, xrefs: 03050925
JCvq, xrefs: 03050851

Memory Dump Source

Source File: 00000004.00000002.1982809388.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3050000_InstallUtil.jbxd

Similarity

API ID:
String ID: 8bq$JCvq
API String ID: 0-3589119749
Opcode ID: 0d0f64993d6109cae35bd49986df4600b6d95ec5a4f0b443d65ba4e0fbda7d10
Instruction ID: 71867f8a6feb2d63afe4eb8b06f79a136374edd0982bd95e52e6bb049f5a09ef
Opcode Fuzzy Hash: 0d0f64993d6109cae35bd49986df4600b6d95ec5a4f0b443d65ba4e0fbda7d10
Instruction Fuzzy Hash: D8518F34B00305DFCB04AB78D958A6E7BE7FB85700F1984A8E409973A5DB75DC4ACB91

Function 03050848 Relevance: 2.7, Strings: 2, Instructions: 176COMMON

Download Yara Rule

Strings

8bq, xrefs: 03050925
JCvq, xrefs: 03050851

Memory Dump Source

Source File: 00000004.00000002.1982809388.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3050000_InstallUtil.jbxd

Similarity

API ID:
String ID: 8bq$JCvq
API String ID: 0-3589119749
Opcode ID: c862261af800086148de4cf5a116dba257724397d73742d275d9d2fe449dbd0d
Instruction ID: a75bf1c3bfeee1b93e4fa5eebae1a0e080ab62a2c48b3a1f9399aecf3b4fa400
Opcode Fuzzy Hash: c862261af800086148de4cf5a116dba257724397d73742d275d9d2fe449dbd0d
Instruction Fuzzy Hash: A951AF34701305DFCB04AB78D858A6EBBE7FB88710F1488A9E409973A5DF76DC468791

Function 03050AA9 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

Te^q, xrefs: 03050ADD
dLdq, xrefs: 03050AF3

Memory Dump Source

Source File: 00000004.00000002.1982809388.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3050000_InstallUtil.jbxd

Similarity

API ID:
String ID: Te^q$dLdq
API String ID: 0-1027511480
Opcode ID: def9e971dd70a61d0e435079a4816aa18d5b38f91ba40fc441ba2bccf2e2e2b4
Instruction ID: 7627cde78d4798ea4a28613c81b4e8f38f47859beca326eddea17c7bf7603714
Opcode Fuzzy Hash: def9e971dd70a61d0e435079a4816aa18d5b38f91ba40fc441ba2bccf2e2e2b4
Instruction Fuzzy Hash: E0414934B012049FCB14DF69C598A9EBBF6FF89700F1585A9E806EB3A1CA75DC04CB91

Function 03050C39 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1982809388.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3050000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e678b3ee92fc7f276d1baa69e2c97ddabbec18c6b10c412eb11acf6418d7413
Instruction ID: 16b9a700cd62cfe0ea58fe5c20b24a950ecd57fbf38d8c7c63db73303c368be6
Opcode Fuzzy Hash: 7e678b3ee92fc7f276d1baa69e2c97ddabbec18c6b10c412eb11acf6418d7413
Instruction Fuzzy Hash: 55211574A41108DFDB50DB58C599AAEBFF5EF48719F288499F906DB3A1CBB19840CB40

Analysis Process: Trading_AIBot.exePID: 2800, Parent PID: 1344COMMON

Executed Functions

Function 0107767A Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c6775d050620691b94262a3391c37b087d3d33a319be130262424ee9829e8ce
Instruction ID: 96f95e79e0624fbe8cb2df658dea1bd4f3d5ff5b342fbd68b00c439c7605e88a
Opcode Fuzzy Hash: 0c6775d050620691b94262a3391c37b087d3d33a319be130262424ee9829e8ce
Instruction Fuzzy Hash: FD61E270D01219CFCB15EFA4D994AADBBB2FF49304F608568D4457B3A4DB35A98ACF40

Function 01077688 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60e7161a7e3e5bed9d723f7a3dbae013c308d53fa7c2cb7c2e212f862bde95d4
Instruction ID: a6a5b7271ae96df680e756e4e2dec086dc8eef7a9c1dcc537545ba806e589dc4
Opcode Fuzzy Hash: 60e7161a7e3e5bed9d723f7a3dbae013c308d53fa7c2cb7c2e212f862bde95d4
Instruction Fuzzy Hash: 3761D170D01219CFCB14EFA4D994AADBBB2FF89304F608569D445BB3A4DB35A989CF40

Function 01077188 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a5699668a70797771968e4ad7fc8f9aae5021396641de779c20029aae059fb
Instruction ID: 6dde2d1422a9f9f123576e80265300e9ed8ed35c18a79da9e25f7dc7ec419439
Opcode Fuzzy Hash: 60a5699668a70797771968e4ad7fc8f9aae5021396641de779c20029aae059fb
Instruction Fuzzy Hash: A561C378A40248CFCB44DFA9D998AADBBF2FF49314F109069E905AB365DB30AC45CF14

Function 01077E58 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8de26c40ebc0494bc1392b03b32a5852e922d71689009de941a97b121795ed2
Instruction ID: b1421a220410be3f75834a77984ef3a387161a96692ae13c5dc4879c287212eb
Opcode Fuzzy Hash: f8de26c40ebc0494bc1392b03b32a5852e922d71689009de941a97b121795ed2
Instruction Fuzzy Hash: CE41BBB0D002489FDB14CFAAC988ADEBFF5AF48300F24842AE459AB254D7349946CF48

Function 01077E60 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f31585c90b2e2c6258c9f5ef1e8993e3c704e30b74603fdd5c6c4d709f6193
Instruction ID: 21cc0522a8ffeedcc0c9b391f8eed94eb66019c501e4ba895c626b52243fdd0b
Opcode Fuzzy Hash: 42f31585c90b2e2c6258c9f5ef1e8993e3c704e30b74603fdd5c6c4d709f6193
Instruction Fuzzy Hash: 0A41BCB0D00258DFDB14DFAAC988ADEFBF5AF48310F24802AE459AB254D7349945CF58

Function 010774F2 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

Jeq, xrefs: 01077611

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID: Jeq
API String ID: 0-1775949608
Opcode ID: a9122ec9b0c9e9463cc4aa7d15a023211a361bb6ab27e7adc3695dcadc918172
Instruction ID: b18155c6cb3c5a4c460db1d0f0870865c5e163a090d1f964b4d5d4e97b72b02f
Opcode Fuzzy Hash: a9122ec9b0c9e9463cc4aa7d15a023211a361bb6ab27e7adc3695dcadc918172
Instruction Fuzzy Hash: AE41F275E002089FDB04DFA9D494AEEBBF2FF89301F108069E515B72A4DB359941CF94

Function 01077500 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

Jeq, xrefs: 01077611

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID: Jeq
API String ID: 0-1775949608
Opcode ID: 7cc26c59577615c7451428af116650f41e3bd4b2a2cb124dd5acd5e175643ec7
Instruction ID: 48019aa07be75d09efc4fed8852cbc2f7c8fab2aecdb75af16811871b63ccf5d
Opcode Fuzzy Hash: 7cc26c59577615c7451428af116650f41e3bd4b2a2cb124dd5acd5e175643ec7
Instruction Fuzzy Hash: 1841C175E002089FDB04DFA9D594AEEBBF2FF89301F108069E515B72A8DB359941CFA4

Function 01075348 Relevance: .9, Instructions: 941COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43f1caf2b71a84ba28d4bd6bbb477fc240d3d8ab6273e37e7bb77a20e24e7797
Instruction ID: 30ef9cccb99481e65bb0e8f39df79b887055708564cce167a287343bae1c0241
Opcode Fuzzy Hash: 43f1caf2b71a84ba28d4bd6bbb477fc240d3d8ab6273e37e7bb77a20e24e7797
Instruction Fuzzy Hash: 12B2AF70D012698FCB69EF64C898B9DB7B2BB49304F1085E9D44DAB3A4DB316E85CF44

Function 01075358 Relevance: .9, Instructions: 935COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93b7f4dfd8a30877fb0a8ed17568e30a039e7a9c2adc3bf09dbfa37d75d52a2f
Instruction ID: 690b2b7f9b4a0a61d0569dffd5cef0ceb1d7600d86b91122ce6db76251f0c8dd
Opcode Fuzzy Hash: 93b7f4dfd8a30877fb0a8ed17568e30a039e7a9c2adc3bf09dbfa37d75d52a2f
Instruction Fuzzy Hash: D8B29F70D012698FCB69EF64C898B9DB7B2BB49304F1085E9D44DAB3A4DB316E85CF44

Function 01070839 Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 536c0cefb5c79ff327bb5424792c541c16e901d48d3dd50d20cfc10bfe991121
Instruction ID: 90ae7e8350d0c5fc7d28ca187bfcad16aaf0023672022efd91cc68415a79eff7
Opcode Fuzzy Hash: 536c0cefb5c79ff327bb5424792c541c16e901d48d3dd50d20cfc10bfe991121
Instruction Fuzzy Hash: F662AE70901219CFDB64EF68D998BAEBBB2BF49304F1484E9D409A7365DB316E81CF41

Function 01070848 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb6bdfa2e036f1405102c88c876872750663b163120dc8d01b1bb924d3bea4c
Instruction ID: 745f2cc4987dcd6aab02ec9885358331bd8c0673f57f5ce2f3128db22cd8ec4f
Opcode Fuzzy Hash: 0cb6bdfa2e036f1405102c88c876872750663b163120dc8d01b1bb924d3bea4c
Instruction Fuzzy Hash: FD62AE70901219CFCB64EF68D998BAEBBB2BF49304F1484E9D409A7365DB316E81CF41

Function 01077A79 Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c45099f51bced0b06e4224cdb156289847c2a26e2ccca4ea73e763d411d86b7
Instruction ID: 9cb0ad7c462a204fc9a68f22fb6abc14b352a8e6750049225be7540c5a5132d1
Opcode Fuzzy Hash: 5c45099f51bced0b06e4224cdb156289847c2a26e2ccca4ea73e763d411d86b7
Instruction Fuzzy Hash: 3541EFB0D042889FDB15DFEAD488ADEBFF5AF49300F24846AE444AB261CB349885CF54

Function 01077011 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615574c260466d0d65745a5828e185044200b00cbe38f2f5d5132ce7c81dbb56
Instruction ID: 3b9a5a21427b0bf925b635fa962b349b80785d66944cccfea4bf1ef0229cc35f
Opcode Fuzzy Hash: 615574c260466d0d65745a5828e185044200b00cbe38f2f5d5132ce7c81dbb56
Instruction Fuzzy Hash: 7D61E675E00248CFCB44DFA9D998A9DBBB1FF4A314F1181A9E505AB3A5DB30AC05CF54

Function 010767F0 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bed3c0edf47102396fd835d668f03296901dd97fd1a2fe9cbd42d596bcd0e938
Instruction ID: e105e756b38c91eaa8328ace228934afd48960e21a3ab1699fa958d4ca6975d1
Opcode Fuzzy Hash: bed3c0edf47102396fd835d668f03296901dd97fd1a2fe9cbd42d596bcd0e938
Instruction Fuzzy Hash: 1AB1CD74E012288FEB64DF69C984B9DBBB2BB49304F1085E9D40DA7351DB71AE85CF11

Function 010765C0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9aa83d3be69037c7bc49ffc2f31157ca18eb7243ff9090d147c65f981a792b9
Instruction ID: fd6a850ca812f99bdc86f895c187d8fedb988ebca509cfc2830308c1d6bed1ac
Opcode Fuzzy Hash: c9aa83d3be69037c7bc49ffc2f31157ca18eb7243ff9090d147c65f981a792b9
Instruction Fuzzy Hash: 1F41EF78D04248DFDB54DFE8E4986ECBBF5BB09304F10802AE46AAB394EB345946CF54

Function 01077D10 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b650c6b0e4455fb91668abda2287d7f2f7d16c7648241ed224276b05ddfd1757
Instruction ID: 34a8e6a2b1c1784613e13116fdb7cb0872604d11e3025c30ac37865ba8b2705f
Opcode Fuzzy Hash: b650c6b0e4455fb91668abda2287d7f2f7d16c7648241ed224276b05ddfd1757
Instruction Fuzzy Hash: 3941DEB0D002489FDB14DFEAC588ADEFFF5AF48300F24842AE458AB264DB749985CF54

Function 010773A0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2be1e77ddb3e43751f302e0d608cf00b42bbd2339eec2c14117f7b6f4df137c
Instruction ID: 2140374ad6648a1803bf6f3caafb73066ac56c8bf53cb72b38b1a9eab84fc169
Opcode Fuzzy Hash: d2be1e77ddb3e43751f302e0d608cf00b42bbd2339eec2c14117f7b6f4df137c
Instruction Fuzzy Hash: E9310371E012098FCB09DBB4D851AEEBBF2EF89304F1094A9D40577390CB36AD42CB65

Function 010773B0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0ce26980008b530378646730330676d2398da52646241062bbff8545c08296
Instruction ID: aeb9cf12f75c3ee43a7b5cc976bbecccf58832345318cb8fc01a5bfbf1c42c58
Opcode Fuzzy Hash: 1f0ce26980008b530378646730330676d2398da52646241062bbff8545c08296
Instruction Fuzzy Hash: 0321F271E0120A8FCB08DBB4D441AEEB7B2AF89300F109469D415B7390DB36AD41CB65

Function 010751F7 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c51d51902a16b68d92bcb8b3230c7aa4fd41625e20f87bb68f2ae88276959205
Instruction ID: f9401a39bc82a71d42db937dd314167aec2aaaf1c4c9458882c313e9055ab82f
Opcode Fuzzy Hash: c51d51902a16b68d92bcb8b3230c7aa4fd41625e20f87bb68f2ae88276959205
Instruction Fuzzy Hash: 4821BEB1C182598FDB04EFB8D8593EEBFB0EF06301F0448A9D495A3191DB785645CF85

Function 01075238 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246b749a1fbadcdccc393bff639786ae59ccce0a48ef80696d2e55a06f87586b
Instruction ID: b17c6d33e153096be7e950c805b03597b37e7e1035055b82ed3fc173617cd808
Opcode Fuzzy Hash: 246b749a1fbadcdccc393bff639786ae59ccce0a48ef80696d2e55a06f87586b
Instruction Fuzzy Hash: 2A014470C142099EDB44EFB8984C7AEBFF4EF06312F1098A9A415A3290DB781684DF95

Function 01076C3E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f7b22b9ad440c9077dad69f75e42626282b3e16fcf0c31d5deb39dbad50ea1
Instruction ID: 3975a01ebb42176bb5e98c7bb524d25f18c5f6227ccd3b26928cb378dd6f6fdf
Opcode Fuzzy Hash: f6f7b22b9ad440c9077dad69f75e42626282b3e16fcf0c31d5deb39dbad50ea1
Instruction Fuzzy Hash: C6F01274D04155DFDB54DFA4E4487BCBFB4EF4A312F1454A6E44AA3260CB31A985CF14

Function 01077499 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8029e1206e8960c10e836a8bba2b42e5828eacb33f43ca86e19b51ca6b56f17a
Instruction ID: 92839d07611502b5b7853fa1a80ac90d06ef8538b15a0d86dd4e675102da04bc
Opcode Fuzzy Hash: 8029e1206e8960c10e836a8bba2b42e5828eacb33f43ca86e19b51ca6b56f17a
Instruction Fuzzy Hash: DFF065B9915148DFC345EFB8E649B697FB4FB09711F1041E8E94493372DB309942DB50

Function 01076757 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddedde2ee7b4d090fc6d04d0ca7f684025f85b225a9adf2599fb991fdb7964d3
Instruction ID: ddb2c8ad5ccb112271e096abee4fd487232933db0bdec46fb751c92510fef1dd
Opcode Fuzzy Hash: ddedde2ee7b4d090fc6d04d0ca7f684025f85b225a9adf2599fb991fdb7964d3
Instruction Fuzzy Hash: 24E02B71505188EFC701EFF4EA1A69DBF78DF06200F0040E9E44593252DA312F04D741

Function 010774A8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0795e39fdf01ccc96365f40f08178875dc3d967509cfae5f8c1482eb23cde044
Instruction ID: c04e8dcfa301c5301902c529f84b1948167879dd261cf545695543401e1d512c
Opcode Fuzzy Hash: 0795e39fdf01ccc96365f40f08178875dc3d967509cfae5f8c1482eb23cde044
Instruction Fuzzy Hash: 6EE01AB8A11208DFC744EFA8E948A59BFB5FB09715F5041A9E808973A1EB30AD45CB90

Function 01076768 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef4953f6d93cb70625d8025c89ca1b39cc11d7d239ccef149656232ad20c1ff
Instruction ID: ee2c563ac32ed8b1fa907648a106b842f4eaba3636f0371b1a896cbafd59819f
Opcode Fuzzy Hash: 2ef4953f6d93cb70625d8025c89ca1b39cc11d7d239ccef149656232ad20c1ff
Instruction Fuzzy Hash: 38E08670A01108EFC740EFB8EA0A65DBBB9EF05304F1085A9E50593250DB712F04D781

Function 01077642 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c95ed240ce97bd408b0f6be350a2909e104d210da2c498abe6d9b9c217a93dd
Instruction ID: 62bcc6f009651c490f55594ffeec2d48a1c6326a74a62130617886b4cef1c0fd
Opcode Fuzzy Hash: 9c95ed240ce97bd408b0f6be350a2909e104d210da2c498abe6d9b9c217a93dd
Instruction Fuzzy Hash: 80D0A7B1D05108ABD7018BF9B80FB757F7CDB06221F845098F54492242DB715010D659

Function 01076D40 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c14e5fe4a3bfd6421dfea5c2e8770821d4c2d099fed2faf8c9af0a113350562
Instruction ID: 1148a0891d25056d658ef97f62e80ed176af75e83f0528759573306ac760564b
Opcode Fuzzy Hash: 8c14e5fe4a3bfd6421dfea5c2e8770821d4c2d099fed2faf8c9af0a113350562
Instruction Fuzzy Hash: D8D05EA1D182896FD3549BA8B80AB65BF7CEB02216F4402E8E54856142EB655540C6A9

Function 01077650 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 959e47952551f9ec3921a1d355b79e45cf9df6d788fd63c0dbb824a7c63296ad
Instruction ID: 3aebe8c8747335d2a00cd579008e5e8ddf7b02c7051db30396533ca2a040aaa5
Opcode Fuzzy Hash: 959e47952551f9ec3921a1d355b79e45cf9df6d788fd63c0dbb824a7c63296ad
Instruction Fuzzy Hash: FCC0127090520C9BD3409FB8B809A657E6CDB06225F401198B508522409B715540D699

Function 01076D50 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f0a756d5a74e74d426dd6dc9b13ad9a50fe11c21582f891afd2e0bd9acc6e1
Instruction ID: 07e6f9cee1537ed93ca9c3ef5b484d0d7e594d3943f999cddecf96172691e576
Opcode Fuzzy Hash: a6f0a756d5a74e74d426dd6dc9b13ad9a50fe11c21582f891afd2e0bd9acc6e1
Instruction Fuzzy Hash: 14C01270D152099BD3549B98B409A65BE6CDB02311F4011A8F50852140DB715540D6A5

Function 01076DDE Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2335066672.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1070000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c738988e96d8ae6d92d852b1acae436435747f76544c5c04abada83457133aa8
Instruction ID: d244c48bfa71a98f60463d46c506700b5e116100fb1e461625735d03ebc1a081
Opcode Fuzzy Hash: c738988e96d8ae6d92d852b1acae436435747f76544c5c04abada83457133aa8
Instruction Fuzzy Hash: 64A01120E2A82A820220C83028A0830A28880322A2B202AA88888B3200EA03C82080CC

Analysis Process: Microsofts.exePID: 3796, Parent PID: 1344COMMON

Execution Graph

Execution Coverage:	16.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	10%
Total number of Nodes:	40
Total number of Limit Nodes:	5

Executed Functions

Function 02A4C168 Relevance: 2.0, APIs: 1, Instructions: 503
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.3192151435.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2a40000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42731d544aa84343129b5d8e7bbef8d31bdf370b5f415d35a1035362a9e76681
Instruction ID: 2319a93d2306d1ac2f5e1afaa47eb1165007af266ac4243cd5fe73b9dc1cf0fd
Opcode Fuzzy Hash: 42731d544aa84343129b5d8e7bbef8d31bdf370b5f415d35a1035362a9e76681
Instruction Fuzzy Hash: 00221574E012188FCB14DFA8C984B9DBBB2BF88314F1085AAD809AB355DF75D986CF50

Function 02A4C76C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 02A4C8AE

Memory Dump Source

Source File: 0000000A.00000002.3192151435.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2a40000_Microsofts.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2b16801d84d05e5760df626f39f37b4ef41c96e1454a168d4c82f42a75ab1915
Instruction ID: 4c655a54c9e378932f4cdea890c297729de83d3166d36fdf01b84b058986179c
Opcode Fuzzy Hash: 2b16801d84d05e5760df626f39f37b4ef41c96e1454a168d4c82f42a75ab1915
Instruction Fuzzy Hash: 41116D74E021089FDB04DFA8D484AADBBB6FBC8314F549166E908E7242EF30D941CB60

Function 0286D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3191215774.000000000286D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0286D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_286d000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeecfd7264803afc6e918c781b7194e9c7ea428046aed3c6fae150d9cd4bf380
Instruction ID: 2a2d109fe056deec35ed07e9a563781bbe0ab9bc5c394ca02ac2d544437d9dbb
Opcode Fuzzy Hash: eeecfd7264803afc6e918c781b7194e9c7ea428046aed3c6fae150d9cd4bf380
Instruction Fuzzy Hash: FF21F279604204DFDB14DF14D988B26BBA5FB88318F24C569D80A8B256C77AD446CA62

Function 0286D007 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3191215774.000000000286D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0286D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_286d000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f96cc6ee52d074bc49d8d7f350a7ad178f31efb36dcd90e1e8fb86eaaddd4ed
Instruction ID: 7ac0e8ceab3e0d4652b62b281adf7cf33c63bd08bb78c0cc0805f181a10917bc
Opcode Fuzzy Hash: 0f96cc6ee52d074bc49d8d7f350a7ad178f31efb36dcd90e1e8fb86eaaddd4ed
Instruction Fuzzy Hash: 49212B7550D3C09FCB038B24D994711BF71AB46214F29C5DBD8898F2A7C37A985ACB62

Analysis Process: powershell.exePID: 7300, Parent PID: 2800COMMON

Execution Graph

Execution Coverage:	5.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 0293B490 Relevance: .3, Instructions: 255
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f60d30e3d66ca6a143c2a7a4961aa8b2be3d08f5a9337c843df1b02257a1257f
Instruction ID: a23146e0240358fa4389ca16fc5185b5eb6e3e9f559cdaa42b8e28c0ba142984
Opcode Fuzzy Hash: f60d30e3d66ca6a143c2a7a4961aa8b2be3d08f5a9337c843df1b02257a1257f
Instruction Fuzzy Hash: 479183B1B007149BDB2AEFB4C4156AEB7E3EF84704B00891DD14AAB344DF746E068BC6

Function 0293B4A0 Relevance: .3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 054c5066ecd89112780d6e91b03501262602000b620c43bee26b16529715d978
Instruction ID: a701f9aa1d28371b7338772ca6beef675065b77a3593a097b7916a937d93f482
Opcode Fuzzy Hash: 054c5066ecd89112780d6e91b03501262602000b620c43bee26b16529715d978
Instruction Fuzzy Hash: 4D9174B1B006149BDB2AEFB4C4155AFB7E3EF84704B00891DD14AAB340DF746E068BD6

Function 046D2308 Relevance: 44.0, Strings: 34, Instructions: 1532COMMON

Download Yara Rule

Strings

J8l, xrefs: 046D237F
R7l, xrefs: 046D342B
4'^q, xrefs: 046D2EEE
tP^q, xrefs: 046D2D25
4'^q, xrefs: 046D2BE7
4'^q, xrefs: 046D260D
J8l, xrefs: 046D23C5
r7l, xrefs: 046D2559
4'^q, xrefs: 046D31C0
tP^q, xrefs: 046D305C
J8l, xrefs: 046D23D1
r7l, xrefs: 046D254F
$^q, xrefs: 046D2CEC
,S7l, xrefs: 046D3469
,S7l, xrefs: 046D345D
J8l, xrefs: 046D25F6
tP^q, xrefs: 046D2D31
J8l, xrefs: 046D25EA
#'k, xrefs: 046D2BA7
-l, xrefs: 046D2D9D
tP^q, xrefs: 046D3324
J8l, xrefs: 046D259E
tP^q, xrefs: 046D3068
4'^q, xrefs: 046D31B6
-l, xrefs: 046D2D8F
p5'k, xrefs: 046D344F
$^q, xrefs: 046D2CE0
R7l, xrefs: 046D3294
4'^q, xrefs: 046D2619
$'k, xrefs: 046D2EBF
tP^q, xrefs: 046D3330
$^q, xrefs: 046D2CBA
4'^q, xrefs: 046D2EF8
4'^q, xrefs: 046D2BDB

Memory Dump Source

Source File: 0000000B.00000002.2054364991.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_46d0000_powershell.jbxd

Similarity

API ID:
String ID: ,S7l$,S7l$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$p5'k$tP^q$tP^q$tP^q$tP^q$tP^q$tP^q$#'k$$'k$$^q$$^q$$^q$J8l$J8l$J8l$J8l$J8l$J8l$R7l$R7l$r7l$r7l$-l$-l
API String ID: 0-160779972
Opcode ID: fcdad3d5bc2a0e8cce73b833499ad5b98abd5dec57fb11aa133e2e5425b1739f
Instruction ID: 054c9e3ee38d7492369715a08d1f2718784dd76ec4dbce4600835e174beed6d8
Opcode Fuzzy Hash: fcdad3d5bc2a0e8cce73b833499ad5b98abd5dec57fb11aa133e2e5425b1739f
Instruction Fuzzy Hash: A4B23935F043458FDB258F68982066ABBE1AF95310F1484EAD945CF351FB35EC86CBA2

Function 046D3CE8 Relevance: 5.6, Strings: 4, Instructions: 579
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 046D418A
4'^q, xrefs: 046D4026
4'^q, xrefs: 046D4180
4'^q, xrefs: 046D4030

Memory Dump Source

Source File: 0000000B.00000002.2054364991.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_46d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 1f1dd87516ed0493ff9173cc860edbea99c763641a43f2422f7417fb73105cdc
Instruction ID: bdba6ca1cdadbfd5dfe39c9d875fcfda2e9c26d259547eb4410c5af6dcea58f5
Opcode Fuzzy Hash: 1f1dd87516ed0493ff9173cc860edbea99c763641a43f2422f7417fb73105cdc
Instruction Fuzzy Hash: 36124935F042548FC7259B68981166ABBE2AFD5310F1484BAD905CF352FF35EC86CBA2

Function 046D17B8 Relevance: 2.8, Strings: 2, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-l, xrefs: 046D193A
-l, xrefs: 046D192C

Memory Dump Source

Source File: 0000000B.00000002.2054364991.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_46d0000_powershell.jbxd

Similarity

API ID:
String ID: -l$-l
API String ID: 0-2639776332
Opcode ID: fd552b27abb0814992eed9e604c889db20f2b5941e50f981808f5b239b30b7ef
Instruction ID: e8a929cb399dfc5e168d72ca98dcb4bbdeaeac7321e81cf75b6f2dbed7d6311c
Opcode Fuzzy Hash: fd552b27abb0814992eed9e604c889db20f2b5941e50f981808f5b239b30b7ef
Instruction Fuzzy Hash: 8AB12331F042099FCB149B69D4006EABBE6AFD6310F18C0BAD545CF356FA71E946CBA1

Function 081D6428 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 081D648A

Memory Dump Source

Source File: 0000000B.00000002.2081479880.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_81d0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: e4ac5f290f646bb32f012885f4695a519d77ec5a61a338c12aef09287b1b0529
Instruction ID: 6dac626044296a22672dc0cc293358181d63218ce71cb60f0ba3f2e7dbba5c7a
Opcode Fuzzy Hash: e4ac5f290f646bb32f012885f4695a519d77ec5a61a338c12aef09287b1b0529
Instruction Fuzzy Hash: E011F2B59003088FCB20DF9AD984B9EFBF8EF48324F24841AD458A7311D779A944CFA5

Function 081D6420 Relevance: 1.5, APIs: 1, Instructions: 47
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 081D648A

Memory Dump Source

Source File: 0000000B.00000002.2081479880.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_81d0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: ba767e1bb2c76eb21b6f9649d6ae49a890bda60ba337c9507dfcb333fd27a05d
Instruction ID: 4048dde7acc503ddbe1a01e486bd59509d097500ae9d821bf2fa8eb0c87971b4
Opcode Fuzzy Hash: ba767e1bb2c76eb21b6f9649d6ae49a890bda60ba337c9507dfcb333fd27a05d
Instruction Fuzzy Hash: C611E0B59003098FCB10DF99D684B9EFBF8AF48324F24881AD559A7311D778A944CFA4

Function 02936FE0 Relevance: 1.4, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 02937105

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 5de220cc568b260d4d459bc056aa5e87f984ec95eb1ee68b3a5366a36cd19c1d
Instruction ID: fa318af863e082f22be1568ef0ce44d0ba43b7b0ef94e91a82f013709be3b281
Opcode Fuzzy Hash: 5de220cc568b260d4d459bc056aa5e87f984ec95eb1ee68b3a5366a36cd19c1d
Instruction Fuzzy Hash: 8C417E74B042458FDB15CFA8C468AAEBBF6EF8D315F1544A8E406AB390CB35DD01CB64

Function 0293AFA8 Relevance: 1.3, Strings: 1, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(&^q, xrefs: 0293AFCA

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID: (&^q
API String ID: 0-2067289071
Opcode ID: 673608370b1f9ecdc7db276e52a13d487c54d4e47537f0470f65f70b709c5444
Instruction ID: f1bd041b27f1d3257aa91559ac9e24ad22dbba8b999ba1f2fee45598e8787131
Opcode Fuzzy Hash: 673608370b1f9ecdc7db276e52a13d487c54d4e47537f0470f65f70b709c5444
Instruction Fuzzy Hash: 8B21BD75A002188FCB15DFAED5547AEBFF6EB88320F24886AD019E7350CB7498058FA5

Function 0293D280 Relevance: 1.3, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

</,l, xrefs: 0293D2D2

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID: </,l
API String ID: 0-3583893253
Opcode ID: 2eac63665721635d219ae4ca3bbe1b41393f7971b22a8445681b6ed30e170d0e
Instruction ID: 37b4436c697953fee3080a6b199e8c4ae342a8c08e91b6dfbc70e063913b3e62
Opcode Fuzzy Hash: 2eac63665721635d219ae4ca3bbe1b41393f7971b22a8445681b6ed30e170d0e
Instruction Fuzzy Hash: 2021BDB43007059FCB11DB69D880E5ABBE6EF89318700C56AE449CF325DB39ED45CBA5

Function 0293D290 Relevance: 1.3, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

</,l, xrefs: 0293D2D2

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID: </,l
API String ID: 0-3583893253
Opcode ID: abd79841fac7ca28c2c011b3312c71edcd1c2352c6f8952edc080f29cc662ecc
Instruction ID: cfc48cb7d0eee6c68f0bd3a48fa552176248324a33400d67ccbad57cf6bd7474
Opcode Fuzzy Hash: abd79841fac7ca28c2c011b3312c71edcd1c2352c6f8952edc080f29cc662ecc
Instruction Fuzzy Hash: 50218BB03007059FCB15DF69D984E5ABBE6EF89318B008569E409DF325DB39ED05CBA4

Function 029329F0 Relevance: .2, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fde58e48758b0b12c3ad660ebab526caecaed5b84c73dd489ecce23ddcba1695
Instruction ID: 7e00f2821da976e52a63fcd00cefec9733d44f085465f17756d439e657b4b00f
Opcode Fuzzy Hash: fde58e48758b0b12c3ad660ebab526caecaed5b84c73dd489ecce23ddcba1695
Instruction Fuzzy Hash: 389159B0A006499FCB16CF59C498AAAFBB1FF48314B248599D815EB3A5C735FC51CFA0

Function 02937740 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0665d36939596ce83c0446e1a1327f352c73bfbd0895a88e644a97951f54eea9
Instruction ID: bba31826916a2ff49d7c6c1212c54629a5bb327ab4001a7dd4ee892bf3f63a49
Opcode Fuzzy Hash: 0665d36939596ce83c0446e1a1327f352c73bfbd0895a88e644a97951f54eea9
Instruction Fuzzy Hash: 5E51E370300205DFD705DBB9D884A7AB7EAFF88214B158579E409CB352DB35DC02CB90

Function 0293BAD0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6aad910976cbdd3ba6f2bfd3d19f1712595d9d0d8bcd5d0d1532be5a30a44f
Instruction ID: f12226a10c9f7f611f622954750f87dc145775096385cf159d15f11d26f8f123
Opcode Fuzzy Hash: 1d6aad910976cbdd3ba6f2bfd3d19f1712595d9d0d8bcd5d0d1532be5a30a44f
Instruction Fuzzy Hash: 186114B1E00248DFCB15CFA9D594B9DFBF6EF88314F14816AE809AB364EB349945CB50

Function 0293BAC0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f75895e6c7e78a76d38fdc8a82fbadca49c5a83477f794582c13b2ca4d33c73
Instruction ID: 6dff57550cfddf120abff79024077d9493b2f21ec0a697d6c3416fd34ba46a80
Opcode Fuzzy Hash: 6f75895e6c7e78a76d38fdc8a82fbadca49c5a83477f794582c13b2ca4d33c73
Instruction Fuzzy Hash: 516147B1E00248DFCB15CFA9D994A9DBBF5FF88314F14806AE809AB364EB349945CB50

Function 046D3CCD Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2054364991.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_46d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ad6dc52802eec9b485c9f0d37228d75eac18cae6579e9935144948d45d428a
Instruction ID: 86052d84bea5087cefb014deb751787bc72fae928a8cfa9b36f591b47fdc6c4f
Opcode Fuzzy Hash: 58ad6dc52802eec9b485c9f0d37228d75eac18cae6579e9935144948d45d428a
Instruction Fuzzy Hash: 2041E130E00204CFDB259F258541A6ABBA2AFA4354B1480A6DD01DF396F735FC85CFA2

Function 02936FB0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6edb671667e737556ec9c2df39da938a7cf7079ed8a32099a79a10b577405e3
Instruction ID: cd277d2a0251b1d98493f64db4395c416a72bfbfc6f98f431f28a8bb1bbc2ad1
Opcode Fuzzy Hash: e6edb671667e737556ec9c2df39da938a7cf7079ed8a32099a79a10b577405e3
Instruction Fuzzy Hash: 454191756042458FDB15CFA4C468AEAFBF5EF8D311F145099E842AB3A1CB35DC01CBA1

Function 02932B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b888ae59eaab93f718740a012208373eeb37f2b9caaa53b7ba0569e2b2836e
Instruction ID: 507386716ffa70a1265a137da1a66eacb175f57655be7e594d284fee9fa4f446
Opcode Fuzzy Hash: c8b888ae59eaab93f718740a012208373eeb37f2b9caaa53b7ba0569e2b2836e
Instruction Fuzzy Hash: 8F4129B4A006059FCB06CF59C598AAEFBB1FF48314B258199D915AB364C736FC51CFA0

Function 0293C398 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af1e50a866de53c1d3b1b8eb54d2ac6e9c204944323b69bfedb6a7fc7c86e11a
Instruction ID: f785a89836dc8fdc2a51a8ca83acd22f95303d937893ad03e31a0d0f383e8398
Opcode Fuzzy Hash: af1e50a866de53c1d3b1b8eb54d2ac6e9c204944323b69bfedb6a7fc7c86e11a
Instruction Fuzzy Hash: 6D319C313006019FC705EB78E848B9AF7A6EFC4324F008639E60ACB365DF75A845CBA1

Function 0293AE70 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc03054f1affbc08e72bc3981e9854211d1d0291d64d9892934768a8050d132
Instruction ID: 99facef7dfa338ab8df5d4c8d80f55981f5a1fb32302419712c8182bc401d56c
Opcode Fuzzy Hash: 3cc03054f1affbc08e72bc3981e9854211d1d0291d64d9892934768a8050d132
Instruction Fuzzy Hash: 9F315AB1A002098FDB09DFA9D5957AEBBF6AF88354F148029E445EB354EB348C41CB51

Function 0293AE80 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ef3a5d72a47604fec664361e33f8f6516d631dae4929e9553122f9151a2d7a
Instruction ID: d35a44b966dedc1a95c1fab7638d96d6111e95ac38d9413330511e44447ffef0
Opcode Fuzzy Hash: b9ef3a5d72a47604fec664361e33f8f6516d631dae4929e9553122f9151a2d7a
Instruction Fuzzy Hash: BE314AB0A002099FDB09DFA9D495BAEBBF6AFC9354F148029E405EB354EF348C41CB51

Function 0293AD38 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a54762f2f9c2f0faee400bf5b0deea5d4e6725e49f5a96aa8355e303e8b4a3d
Instruction ID: 641ff42a9ada176b7b9d15a1948e98a330445c64eacaa92dc69f691909ff8724
Opcode Fuzzy Hash: 1a54762f2f9c2f0faee400bf5b0deea5d4e6725e49f5a96aa8355e303e8b4a3d
Instruction Fuzzy Hash: BB3193B4E002459FDB05EFA4D459ABEBBF2EF84300F1184A9D115AB395DB389E02CF51

Function 029393F8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02183b87d80fe9c13198aa7dfdc1ce416ad83d41d01b900ed02a82591e419fe
Instruction ID: 507778b549932e8e441972fdcfcef8372c89bfd84b349d300b8ee99c3953f0f3
Opcode Fuzzy Hash: c02183b87d80fe9c13198aa7dfdc1ce416ad83d41d01b900ed02a82591e419fe
Instruction Fuzzy Hash: B0319AB59013048EEB60DF6AD4893DAFBF6EB88324F28C46ED84D97205DBB46481CB51

Function 0293E051 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10ad09b3cba824fc760ef418f4912d2a3b8778d1324d408331e659c7ddeda0a7
Instruction ID: 12a4c56fb176d947b95fe3716f8fd7e3e9e68db0bc59f348a10ab011bb2dc18c
Opcode Fuzzy Hash: 10ad09b3cba824fc760ef418f4912d2a3b8778d1324d408331e659c7ddeda0a7
Instruction Fuzzy Hash: EA314B74A002058FDB18DF68D8986AEBBF2FF88715F148469D406EB3A0DB74AC45CB95

Function 0293E060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a0f0d2f31e8d2a9fbde1e624fcfaed409984001a74cf360c2df56e6f08035c
Instruction ID: c5c7df6125c437f801b7622e8e496553496695694fbc39016e6d828626b7bc3b
Opcode Fuzzy Hash: f1a0f0d2f31e8d2a9fbde1e624fcfaed409984001a74cf360c2df56e6f08035c
Instruction Fuzzy Hash: 16312B70A002058FCB18DF68D89869EBBF6FF88715F148529D406E73A0DB74AC45CBA5

Function 0293AD48 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88517774de5be97da44687fabfbb11b749ece3fe54361444429853c3d7be7fe5
Instruction ID: e8654a7a176440a10e5334603e43504c4ca47bfddb9ef572c4a32534c8779aa4
Opcode Fuzzy Hash: 88517774de5be97da44687fabfbb11b749ece3fe54361444429853c3d7be7fe5
Instruction Fuzzy Hash: 433161B4E002099FDB04EFA4D459ABEB7F7EF84300F1184A9D215AB395DA799D018F90

Function 046D2700 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2054364991.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_46d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dcede51aaa9257b190fc500ef82ad2de4badc4b5d0bd565f95254516ede8bcc
Instruction ID: 8033ef20aae33dda19abbaf8825a1108605e467ccc8d71ff0f687f57f5a40266
Opcode Fuzzy Hash: 7dcede51aaa9257b190fc500ef82ad2de4badc4b5d0bd565f95254516ede8bcc
Instruction Fuzzy Hash: 6B217C35E00205DFDB20CE59C5A4BA5B7E5BB54721F0481E6E9089B350F334F989DBA1

Function 0072F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2049999722.000000000072D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0072D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5001bfa10fac37e552276b9b5b73b967fb1c6c22b4e4e76a652b1a1953d36991
Instruction ID: 198d32d8cad8d1dac813cd74f591664b42c9dd7961e6c4c5407b6f4f4a8b57c3
Opcode Fuzzy Hash: 5001bfa10fac37e552276b9b5b73b967fb1c6c22b4e4e76a652b1a1953d36991
Instruction Fuzzy Hash: 4621E072600240EFDB05EF54E9C0B27BBB5FB88314F24C5BDE9094A256C37AD856CBA1

Function 0072F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2049999722.000000000072D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0072D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41985d3fdc6948101e0522c311cde5a23865226fd369f491d3bdd3a1442837b1
Instruction ID: 1c46c991daec39e4725de2726b62d854dddd2d848e686b8c5457d819bcd84e3b
Opcode Fuzzy Hash: 41985d3fdc6948101e0522c311cde5a23865226fd369f491d3bdd3a1442837b1
Instruction Fuzzy Hash: C7213471504244DFCB20DF24E9C0B26BFB5FB84314F20C67DD90A4B256C33AD846CA61

Function 046D197D Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2054364991.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_46d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ff2e8936e9909c5ef34d0e0f6428ac553b8ab52d53d26d9e32d58c230c4a27
Instruction ID: 9225cdd0435584f8a23c0e4f046248fa3803d67dae3a1d2e6a86b2940cc08947
Opcode Fuzzy Hash: e5ff2e8936e9909c5ef34d0e0f6428ac553b8ab52d53d26d9e32d58c230c4a27
Instruction Fuzzy Hash: 5421A170E01206DFDB10CF55C940BEA7BF1EB56350F088266E9049B256F370E946CBA1

Function 02939408 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf16df75b10d56e0a004a61515f35e9101d1dee4fcdbcb56d660fed78c35c32
Instruction ID: 47cc572a5120be36736a408c49d1d263a0f5a0b9f22dbdfdb190493cb6169c38
Opcode Fuzzy Hash: ebf16df75b10d56e0a004a61515f35e9101d1dee4fcdbcb56d660fed78c35c32
Instruction Fuzzy Hash: A2217AB49017448FEB61CF6AD08839AFBF6EB88324F28C46ED85D97205D7B46481CB61

Function 0293767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee4b55328b464fc9a3a04c099cd5da5a199ffe8790a5ca752c9dc9359634b1ad
Instruction ID: 78d677b8b52d35515d2aa3496d937863e5d29290bb57473e77c5d7d3c8317129
Opcode Fuzzy Hash: ee4b55328b464fc9a3a04c099cd5da5a199ffe8790a5ca752c9dc9359634b1ad
Instruction Fuzzy Hash: 04111979B001188FCF14DBA8E954AEDB7F6FBCC215B0440A5E509EB724DB35DD118B91

Function 046D1990 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2054364991.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_46d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ab8f0940afedf531ab5a92e49da2bd0930c6f9be87411fd84ba203df2e1b4f
Instruction ID: 4117cfd19dacd2af1e3716c340def39dfb5e870283cf3de69960cc9604e4911b
Opcode Fuzzy Hash: 38ab8f0940afedf531ab5a92e49da2bd0930c6f9be87411fd84ba203df2e1b4f
Instruction Fuzzy Hash: B2118F71F0020ADFDB20CF99C540BEAB7E1AB56311F088266D9089B316F7B0F941CB91

Function 0072F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2049999722.000000000072D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0072D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction ID: bacc330dff50530cf017d7a53d423b21c3cafa3a8f9034cbc1ec3fcfa72200ae
Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction Fuzzy Hash: EE21CD76504280DFCF06DF50D9C4B16BF72FB88314F24C5A9DD094A256C33AD86ACB91

Function 029379C2 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a7da11b80dc0215fc43073723ae0a80564a16ebe0c46ff8838261da21a465f1
Instruction ID: 9ab6ace2ba17c965dcbd6490087a8be676fa90d6973712c5dc8803db9242ec4d
Opcode Fuzzy Hash: 7a7da11b80dc0215fc43073723ae0a80564a16ebe0c46ff8838261da21a465f1
Instruction Fuzzy Hash: AE01D4717092545FCB12CBB9E840AFFBFE6DB89321B1006AEE40AD7641DA359D0687A0

Function 0072F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2049999722.000000000072D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0072D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
Instruction ID: ba2f371af64ca70d9e6baae3f05bdbd6395c130f74cccd7745305656ef2f2421
Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
Instruction Fuzzy Hash: 4411BB75504284CFCB11CF14E5C4B15BFB1FB84328F28C6BAD8094B656C33AD84ACB61

Function 0293BCF0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 687559ccfe6f87e49eee5b5058e56dff98042292dc19509305db84cbece49f0c
Instruction ID: bd1cf77a15592be1dfd76e854d9b011de8886af07dce511ca7c1928fc8872185
Opcode Fuzzy Hash: 687559ccfe6f87e49eee5b5058e56dff98042292dc19509305db84cbece49f0c
Instruction Fuzzy Hash: B901D2716083849FD729CB75D4A4A997FF5EF45210F1444AEE0AECB6A2CB30EC45C741

Function 0293DEA0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a04f17bbe026b7e14072315d3ab501570ed97b16f5446f5672926aad4856259
Instruction ID: 83fc51a149a152da834752ffb2387bf0e5a820624fa6e4ec1b0edd0e99db4fcd
Opcode Fuzzy Hash: 9a04f17bbe026b7e14072315d3ab501570ed97b16f5446f5672926aad4856259
Instruction Fuzzy Hash: C6111B35214750CFC728DF79D050866BBF6EF8931532489ADD48A8B7A0DB36ED45CB50

Function 0293DF28 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bfc65cd3b6c7f167851c4ddd8fea8933f60635f28976833c95610d737337c9a
Instruction ID: 339d49ff36006a22750846ae19b498710eb5063df8c735c4cde744a714425b2d
Opcode Fuzzy Hash: 8bfc65cd3b6c7f167851c4ddd8fea8933f60635f28976833c95610d737337c9a
Instruction Fuzzy Hash: C9019E35B002188FCB119F75E808AAEBBF5FB88319F00407DE90AD3241DB369911CB90

Function 02937958 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcdc68bfdc664aec82b1e79664ef092c84be4639d1c08b3df0d21b28522cefb9
Instruction ID: da06f2401a34c4fd45fe378485a69ee0d10e2fc2c46c3cc74092e4bd0253427a
Opcode Fuzzy Hash: bcdc68bfdc664aec82b1e79664ef092c84be4639d1c08b3df0d21b28522cefb9
Instruction Fuzzy Hash: BFF0F63170A2516FC71297A9EC449AFBFEADF89231B04076FE04AD3791CE285D4687B1

Function 0293BF20 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22b15ed0af60d5cd07bb4f8a8a0fa66de60034fe28e30795dec68684cd38806f
Instruction ID: d282d1c2ca92789c65d43f51a51c1f4e1f0415ae0b3e8e9e3b7b50ea3bfb066b
Opcode Fuzzy Hash: 22b15ed0af60d5cd07bb4f8a8a0fa66de60034fe28e30795dec68684cd38806f
Instruction Fuzzy Hash: 5DF0FF763093642FE7118A6AAC509BBBFEDEB86261704806BF984C7361CA70CD0086A0

Function 0072D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2049999722.000000000072D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0072D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ac57b442114648c8af8ededdab1f227fc9087094e9ca230de8e76fdac69926
Instruction ID: c55b242c4a8799931108f3f403858e246dab6a037a06f2e0ea4593fa2a5e379f
Opcode Fuzzy Hash: b4ac57b442114648c8af8ededdab1f227fc9087094e9ca230de8e76fdac69926
Instruction Fuzzy Hash: 9D0126311093149AE7308A6AEEC4B67BF98EF41324F18C42AEC484B2A6C27DDC41C6B1

Function 0072D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2049999722.000000000072D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0072D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18c0336fc60053d3f060de3d85e4c12508a980d023baac649aaf10559c2fafe0
Instruction ID: 6d4a9b90f9f03b28cf593ce4a8d3b1b22e904a7c48e42871048a259b690336fe
Opcode Fuzzy Hash: 18c0336fc60053d3f060de3d85e4c12508a980d023baac649aaf10559c2fafe0
Instruction Fuzzy Hash: 52F0F976200614AF97208F0AD985C23FBADEBD4774719C55AE84A4B612C671FC42DEA0

Function 0072D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2049999722.000000000072D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0072D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda6db77aa326afb4368d5c03b6d6a113bae0287b74496b8a9e34d62092043a6
Instruction ID: 97e42142ab940de42601842c770a11bae4df5b52ccf590e505ac1a462d738b13
Opcode Fuzzy Hash: cda6db77aa326afb4368d5c03b6d6a113bae0287b74496b8a9e34d62092043a6
Instruction Fuzzy Hash: EBF0F072009344AEE7208E1ADDC4B63FFA8EF51338F18C45AED484F296C2799C44CAB0

Function 0293F7C1 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0236e14a8f1470ad333075861671269c840a2810be5935a13d806e84b252b554
Instruction ID: c5f834f103f3e4312ce20dc3d7d07181ab7bdde68da415927533df96997d0227
Opcode Fuzzy Hash: 0236e14a8f1470ad333075861671269c840a2810be5935a13d806e84b252b554
Instruction Fuzzy Hash: 6001DA75D0074ADBDB59CFE4C9546EDBBB0FF98300F20471AD016A6614EBB41696CB81

Function 029390E0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01538916060c402e0896730bfaf83dbc56df5e92e89b140400c6c26e98183ca8
Instruction ID: 67c336e5ec3c3203d43a8e4f0b1e93fa6c8e86d1d5fc313cf9917dc27b2ec91f
Opcode Fuzzy Hash: 01538916060c402e0896730bfaf83dbc56df5e92e89b140400c6c26e98183ca8
Instruction Fuzzy Hash: 33F02BF96002059BE7556F64D0193AB7BA2DFC4318F20806AC54957386CF3E2D02DB91

Function 0293F7D0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6d94801fa5d41a60623ca4843f5f14905f7a8f44d9765bae5d6aecbed8f1dab
Instruction ID: 891c476b749acd53f2ed77b84e0d1b0582bc2ceb606847d41943917f84d56249
Opcode Fuzzy Hash: a6d94801fa5d41a60623ca4843f5f14905f7a8f44d9765bae5d6aecbed8f1dab
Instruction Fuzzy Hash: E401E471D0074ADBCB14CFE4C9446EDBBB4FF99300F20472AE006A6A00EBB02686CB80

Function 02937968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d082767b3fb94f0df7375db78f6ffdc31eb8b112b50efddc1e1d4fe82a1eba
Instruction ID: 3b1d3fee3bb156b677739445f4a91e8c085c62837d6c35ff6e899e6a3a54d452
Opcode Fuzzy Hash: d7d082767b3fb94f0df7375db78f6ffdc31eb8b112b50efddc1e1d4fe82a1eba
Instruction Fuzzy Hash: F4F0A071B006159FC7119AAAE844A6FB7EAEBCC371B00092DE10ED3340DF34AD4187E4

Function 0072D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2049999722.000000000072D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0072D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c786487d0b7c189f6126fb616b9785a6bb101f6702a2f07e730cba121631d00
Instruction ID: 50f4eedf4e7f9d82de49e70d0af37a25550b204c134bce4b9562940692d9c385
Opcode Fuzzy Hash: 5c786487d0b7c189f6126fb616b9785a6bb101f6702a2f07e730cba121631d00
Instruction Fuzzy Hash: F1F0F975104680AFD725CF06D985D23BBB9EB89724B298499F88A5B312C635FC42CF60

Function 029390F0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce9fd01bf208c0296b0a9a586032ac1d0271e95cfdf850ee3a587a01f3617702
Instruction ID: 0e89e165b9d1af30f14bda1a960ffa9fa4a4d1502ba246e07ac9f587ddb32b99
Opcode Fuzzy Hash: ce9fd01bf208c0296b0a9a586032ac1d0271e95cfdf850ee3a587a01f3617702
Instruction Fuzzy Hash: D4F027F16001089BD750AB64D01A3AB77A6DBC0328F20817ED90947385CE3E2902CBE1

Function 02937697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c490bf32aeba9f0ca6213338900ae2057ce8b61f18213730bab8699e6bd6a13
Instruction ID: e1223fb4d9d27ecdbdbffc8b2725aabd2d28e0eff511b8c572a9861bb994547f
Opcode Fuzzy Hash: 6c490bf32aeba9f0ca6213338900ae2057ce8b61f18213730bab8699e6bd6a13
Instruction Fuzzy Hash: 99F0A0B97002188FCB20CBAD9950AAABBE6FBCC255B054155E409CB324DB35DC018BD1

Function 0293DE40 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 604c860eb61bb087592646fbccde3047041d3ed774584958ee530ec9c79e0596
Instruction ID: 01330c3fc97775472ffe79bfda7d5785b513d43a76b2041c387a6d295f54c250
Opcode Fuzzy Hash: 604c860eb61bb087592646fbccde3047041d3ed774584958ee530ec9c79e0596
Instruction Fuzzy Hash: 5CF08C797042018FC3518F2CE4A4965BBFAAF8E61532914DAE485DB332DB71CC12CB50

Function 0293DE50 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a9330cad59d134f1a6be4a5606e2800b25ff7291c2bb424bcc0102168db18e9
Instruction ID: 3cdb5660ccde97cecb530a68609ca24d34b3421bef17c8ab77586824a5f354da
Opcode Fuzzy Hash: 3a9330cad59d134f1a6be4a5606e2800b25ff7291c2bb424bcc0102168db18e9
Instruction Fuzzy Hash: FFE065353001008F83109B1DE498C2ABBEAEFCEA2531900AAE949CB330CB61EC018B90

Function 02939160 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec6f17878f5ca8d2484ff550ba370cde9e9b16f5c271cbdc3074b72a4f6c713
Instruction ID: 64820518e2c5fbb0f24feb4c5b1b0f2510b9293daab84c913ac0de85bf10e2aa
Opcode Fuzzy Hash: eec6f17878f5ca8d2484ff550ba370cde9e9b16f5c271cbdc3074b72a4f6c713
Instruction Fuzzy Hash: F4F082B49013008FE7619FB8D899396BBA4FB04304F00485AD19ED7251DB386881CB51

Function 02938969 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9248302aa342a09f8d21b6dc6c0fe87747c958b024552bf3807420b1218b5813
Instruction ID: 3d427cc2e4a6a32a993b4eb8f4bc762795e800bc4209eba3fee8fe72caac1ca0
Opcode Fuzzy Hash: 9248302aa342a09f8d21b6dc6c0fe87747c958b024552bf3807420b1218b5813
Instruction Fuzzy Hash: 83F0A0757083914BCB0B2B70A8193AC7B66BB89329F050097D50587282CF3C0D06C796

Function 0293DC90 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8a3bb95413b4d36b18d7cc92b4d8e04b6c11f82eab0ea4f43cb1cf05a45d78c
Instruction ID: df91e1918611f9576a7bb6731dd668cfeebaebfc8703c72185a0e185c66affa2
Opcode Fuzzy Hash: b8a3bb95413b4d36b18d7cc92b4d8e04b6c11f82eab0ea4f43cb1cf05a45d78c
Instruction Fuzzy Hash: 43E068B16017105BC707572CE9208AF7BDADFC13A1300842AE059C7310CF688D05C3F6

Function 02939549 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c6b2d3f77fee8added339eafdc57c27b290798f6fca6bf006f090160232088
Instruction ID: 6354fa72f81e6bb7461e320f84626073ed572c49ff585a774c26d3946bc3ee83
Opcode Fuzzy Hash: a7c6b2d3f77fee8added339eafdc57c27b290798f6fca6bf006f090160232088
Instruction Fuzzy Hash: 28E026E37062120BAF8756B919003B9468FCFC4A6170A12729D15E73C0DF60CC020392

Function 02939170 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5508f76ed2f054e0d2acce4827d6bd258765348acc870bbc4fb9149ed8c4dd9
Instruction ID: 6a4b431fd213d19100235162c0ad74d068676da43899285fde57e2a16824ffc5
Opcode Fuzzy Hash: c5508f76ed2f054e0d2acce4827d6bd258765348acc870bbc4fb9149ed8c4dd9
Instruction Fuzzy Hash: BFF0ED709003149BD7649FB9D89D79ABBE9FB44314F004469E55ED7240DF396981CB90

Function 0293DCE1 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7f52f149587f633c9d38e9a7d37ab3741e8831539aa786afc4f1abbfb04dec0
Instruction ID: a55ac1cb82d9b04cd89d28ecf1f3716b2a637d5fbf38a8b971a8ec02b162123e
Opcode Fuzzy Hash: a7f52f149587f633c9d38e9a7d37ab3741e8831539aa786afc4f1abbfb04dec0
Instruction Fuzzy Hash: 72E0DF39B10100A7DF0ACA98D9500E8FFB9EF88610F54C8BED95AA7360DB311917C7A6

Function 02938978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d414da8d6e872bd396d4147beb8a265d8d05351958be3acdde851b070367355
Instruction ID: 908eb1019380f73335450d336e8e459a1d44f10d1fc360dbe61f909d492a3ba1
Opcode Fuzzy Hash: 6d414da8d6e872bd396d4147beb8a265d8d05351958be3acdde851b070367355
Instruction Fuzzy Hash: 9DE04F7570465497CB093775A81D3AE7BAAFBC4729F04002AE60A83341CF7D5D12C7D9

Function 02939558 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dce2df201ff4dc28dddea2cff331d12e55953df1207ef40246ecc0aff1d88fcf
Instruction ID: 7106d9afc8f529794a3dfb955b2d1647f67c6f0769dc43fc401aa1be427d2166
Opcode Fuzzy Hash: dce2df201ff4dc28dddea2cff331d12e55953df1207ef40246ecc0aff1d88fcf
Instruction Fuzzy Hash: E4D05ED370212A1B5E9620AB18007BB92CFCAC5AA070A0076AE05D3241EE80CC0103E1

Function 0293F860 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6cc11f077882df92bd12d52e3b55af8683583f7facb0bac95a72a538e8dd48
Instruction ID: 605dba429b600c5c73697cd4ea8a23f6a349e330cb08d7e73890cea701fc5477
Opcode Fuzzy Hash: cf6cc11f077882df92bd12d52e3b55af8683583f7facb0bac95a72a538e8dd48
Instruction Fuzzy Hash: 57F0ED70D052499FC745DFB8C45256ABFF0AF4A210B2485EEC949DB612E6319911CB92

Function 0293DCA0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b7cc01646563750eb164ba238fb7e55d7f6d162c05f1084ec572bf67ccb794
Instruction ID: bcf8f1f7b93df9a86ca05fa081a635e8ca7166d6addbd00e754ad5b41d894cef
Opcode Fuzzy Hash: 20b7cc01646563750eb164ba238fb7e55d7f6d162c05f1084ec572bf67ccb794
Instruction Fuzzy Hash: 64E0C2317406144B8326662EA82495FB7DFDFC4671340843EE02AC7300DFA8DD0687E5

Function 0293DCF0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 33820564b7a0d22709b23a9a9f02bc8d934d8e7b68eb2fb9fb8f3a8813e94715
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: D3E08631B00014978B189599D4504E9FBA5DFCC220F04847ED90AA7340DA325916C6E1

Function 0293AF98 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17ca2cbe7fb0132d1dd379d4ce26a7d888a7dcbe627b2a35050ced60a38b615
Instruction ID: 7fa640020a559a76d16a3a2e6d54d8e7efd72f4f3167f9efe10734d2224a41d4
Opcode Fuzzy Hash: a17ca2cbe7fb0132d1dd379d4ce26a7d888a7dcbe627b2a35050ced60a38b615
Instruction Fuzzy Hash: 01D02BBEB043521B9F0B915EB8200252F97C7C561431CC4BBD188C7305DF218C020394

Function 02938739 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17e0dd10054ae10eba768141596d58876f707ec27cc7a9eea72232828bc1cfbe
Instruction ID: 5bf14399c20cc7a6235dd5988da174996375192e20436f930f3e417eabc30c87
Opcode Fuzzy Hash: 17e0dd10054ae10eba768141596d58876f707ec27cc7a9eea72232828bc1cfbe
Instruction Fuzzy Hash: 0CE0867980420ACBCF06DFA0DC4A9FC7FB0FA0431AB004099D09202260DB358946CB85

Function 02938800 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c62744d2575fcb8439c917c9a86b0fd5cc2dafd0f031c184290dfa0c9a3cf1f
Instruction ID: 0650cdcd38d8d9a56fd5ea3a905df3436f2f634ee19a7a0edeff0888d6d713c9
Opcode Fuzzy Hash: 1c62744d2575fcb8439c917c9a86b0fd5cc2dafd0f031c184290dfa0c9a3cf1f
Instruction Fuzzy Hash: 75E08C3960420B8BDB25CAA0D916C3DBFB1F7413147500684D9E11B3A2CB320C43E74B

Function 02937932 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03b50a9e53d5b14831c2e6364a12d7a23f83b79a7dda86973fe416ee1fc8d8f7
Instruction ID: 1bbcf6d5fd3e9486506a0ab49dff0048a46f4f227c8cffb4e558add6bdfb92ab
Opcode Fuzzy Hash: 03b50a9e53d5b14831c2e6364a12d7a23f83b79a7dda86973fe416ee1fc8d8f7
Instruction Fuzzy Hash: BDD0A93604A3808FCB074B30F8148C4BF20EB4222872106DFEC0A8B5E3C576854ACB81

Function 0293F870 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: c8088ffe2bbfb26bd13f7cafba228924c0a2bdfd77e6fe88884b09f4b5467db3
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: A2D067B0D052099F8784EFADC94156EFBF4EB58200F6085AA8919E7301E7329A12CBD1

Function 02938748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3ef992fb6fc55aabd050d86247dfe3f2fca9c0dbc12f303ec46a24f8c458586
Instruction ID: b3f8af0c968ee14a721a679b1a691bb2d0bf6501f5243f5ac590c08049590560
Opcode Fuzzy Hash: c3ef992fb6fc55aabd050d86247dfe3f2fca9c0dbc12f303ec46a24f8c458586
Instruction Fuzzy Hash: BED067318041098BCB09ABA4E85B5BDBB74FA14315F404169EA1752290EE355A5ACAC5

Function 02938810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc3e9fb87f3bca870b95c1fac2dd71af7e05db80c71784bd5b1da4fd71162376
Instruction ID: db7fb65455fe954fc703fabe86b08a71e8c70e3e5dbea908257e0532dd1f238f
Opcode Fuzzy Hash: dc3e9fb87f3bca870b95c1fac2dd71af7e05db80c71784bd5b1da4fd71162376
Instruction Fuzzy Hash: 25D01734A0820A8BCB18EFA4E84A96EBBB4BB44304F008569EA0993350EE305C01CBC1

Function 02937EA0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b0b73dfe53fcb6068bb352a6b1823a2477eb466069f5b489a94e778f813d50
Instruction ID: f30fffec86ff55f911fff7355e95f2a658b8e8a81368daa1e0ee03fd23bc0a7c
Opcode Fuzzy Hash: f9b0b73dfe53fcb6068bb352a6b1823a2477eb466069f5b489a94e778f813d50
Instruction Fuzzy Hash: C5C04C16A093901FFE0757351D661966F714643626B0A56C3DD82878A3C91989068691

Function 02937940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c151f12b4208e809c91b1df3c613e00c94ed98efe140f88c96b8f59819d99f5
Instruction ID: 77517ba7aa55612e495eb3708b06e3c1872cd433ff7baf7b52afd153507e7298
Opcode Fuzzy Hash: 9c151f12b4208e809c91b1df3c613e00c94ed98efe140f88c96b8f59819d99f5
Instruction Fuzzy Hash: E5B092310457098FC2496F75E8088147329BB4022978009A8E90E1A2928E3AE899CE85

Non-executed Functions

Function 046D1BE0 Relevance: 20.4, Strings: 16, Instructions: 399COMMON

Download Yara Rule

Strings

tP^q, xrefs: 046D1FEB
J8l, xrefs: 046D20CE
4'^q, xrefs: 046D1C86
845l, xrefs: 046D1F76
r7l, xrefs: 046D1C5D
4'^q, xrefs: 046D1F89
tP^q, xrefs: 046D1FDF
$c*k, xrefs: 046D20B4
J8l, xrefs: 046D20C2
4'^q, xrefs: 046D1C92
r7l, xrefs: 046D1C53
4'^q, xrefs: 046D1F95
J8l, xrefs: 046D2017
J8l, xrefs: 046D200B
J8l, xrefs: 046D1FA1
845l, xrefs: 046D1F6C

Memory Dump Source

Source File: 0000000B.00000002.2054364991.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_46d0000_powershell.jbxd

Similarity

API ID:
String ID: $c*k$4'^q$4'^q$4'^q$4'^q$845l$845l$tP^q$tP^q$J8l$J8l$J8l$J8l$J8l$r7l$r7l
API String ID: 0-779142625
Opcode ID: d099fafe30d53c8e25d3ddf344fceddf8592eedacf22b6c05db6378f89cec9a7
Instruction ID: f36aa180801d701a20c5a81645f7fd2f7d2639a15fb9fc42790ff5591520e088
Opcode Fuzzy Hash: d099fafe30d53c8e25d3ddf344fceddf8592eedacf22b6c05db6378f89cec9a7
Instruction Fuzzy Hash: B5D15531F042048FC7259F6894146AABBE6AFD6310F1884BBD515CF356FB72E886C7A1

Function 046D3928 Relevance: 12.8, Strings: 10, Instructions: 320COMMON

Download Yara Rule

Strings

4'^q, xrefs: 046D3B29
tP^q, xrefs: 046D39A5
-l, xrefs: 046D3A0F
$^q, xrefs: 046D396C
-l, xrefs: 046D3A1D
$^q, xrefs: 046D393A
4'^q, xrefs: 046D3B35
$^q, xrefs: 046D3960
$^q, xrefs: 046D3C0E
tP^q, xrefs: 046D39B1

Memory Dump Source

Source File: 0000000B.00000002.2054364991.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_46d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$-l$-l
API String ID: 0-2649444500
Opcode ID: 585e16b5760bdbb0defaff4daa88783584b4f771317487e1f0bf1ba6f7b68944
Instruction ID: 1b2974b1e00e762dc42b6461f70f544adda368ec0f665acddb80339f8a5bc643
Opcode Fuzzy Hash: 585e16b5760bdbb0defaff4daa88783584b4f771317487e1f0bf1ba6f7b68944
Instruction Fuzzy Hash: 20A16A31B043488FD7249B29D805766BFE1AFE5710F1884AAE945CF396FA31E8C5C762

Function 046D0FB8 Relevance: 12.7, Strings: 10, Instructions: 184COMMON

Download Yara Rule

Strings

fcq, xrefs: 046D10A2
845l, xrefs: 046D10D4
$^q, xrefs: 046D1253
tP^q, xrefs: 046D1127
`Q^q, xrefs: 046D1153
`Q^q, xrefs: 046D10ED
$^q, xrefs: 046D1065
$^q, xrefs: 046D1044
$^q, xrefs: 046D1229
$^q, xrefs: 046D1081

Memory Dump Source

Source File: 0000000B.00000002.2054364991.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_46d0000_powershell.jbxd

Similarity

API ID:
String ID: fcq$845l$`Q^q$`Q^q$tP^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-688136699
Opcode ID: 482edefadca38f206da17a4b01f01bc66d26149b7730bacee0e039c7fe55a03c
Instruction ID: 57d62322716d06abaf0794403154dc07d1a44d1e6e14a9537102eb64e7f74b64
Opcode Fuzzy Hash: 482edefadca38f206da17a4b01f01bc66d26149b7730bacee0e039c7fe55a03c
Instruction Fuzzy Hash: 65618E30E04209DFDB24CE44C944BEAB7F2BB5A351F158055E8019B395EBB6FD85CBA1

Function 046D0488 Relevance: 9.2, Strings: 7, Instructions: 495COMMON

Download Yara Rule

Strings

r7l, xrefs: 046D092B
4'^q, xrefs: 046D0962
4'^q, xrefs: 046D096E
4'^q, xrefs: 046D05F6
fcq, xrefs: 046D094B
4'^q, xrefs: 046D05EC
r7l, xrefs: 046D0935

Memory Dump Source

Source File: 0000000B.00000002.2054364991.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_46d0000_powershell.jbxd

Similarity

API ID:
String ID: fcq$4'^q$4'^q$4'^q$4'^q$r7l$r7l
API String ID: 0-1063080805
Opcode ID: 7347ec3682b1e7bb4c4ce6d036ac70ae8055afb886cbc71461950514306f5234
Instruction ID: 07dcbfb6624a28ce5c983446cee96fedd246824e9b25a4fcaa844eb2765c7ceb
Opcode Fuzzy Hash: 7347ec3682b1e7bb4c4ce6d036ac70ae8055afb886cbc71461950514306f5234
Instruction Fuzzy Hash: 40F15931F043548FD7259B689810B6ABBA2AFD6318F14C4BAD545CF352EA31EC46CBA1

Function 046D3678 Relevance: 8.9, Strings: 7, Instructions: 189COMMON

Download Yara Rule

Strings

4'^q, xrefs: 046D372E
$^q, xrefs: 046D37FF
$^q, xrefs: 046D3836
$^q, xrefs: 046D382A
-l, xrefs: 046D387B
-l, xrefs: 046D386D
4'^q, xrefs: 046D3722

Memory Dump Source

Source File: 0000000B.00000002.2054364991.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_46d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$-l$-l
API String ID: 0-1144043643
Opcode ID: 077f0734f2926956204e46460172aef78076c398424ef8fd969b217188dc5c51
Instruction ID: c8fb845b180dafcfd241471c09144e469923f08741f1363941b3d8ee0fda7f8b
Opcode Fuzzy Hash: 077f0734f2926956204e46460172aef78076c398424ef8fd969b217188dc5c51
Instruction Fuzzy Hash: 4B516635F043059FC7244A698800666BBB6AFD5710F2484BAD845CB351FB35E8C6CBA3

Function 02937A21 Relevance: 6.5, Strings: 5, Instructions: 245COMMON

Download Yara Rule

Strings

tM7l, xrefs: 02937AD4
`_q, xrefs: 02937C44
`_q, xrefs: 02937CC2
`_q, xrefs: 02937BA2
`_q, xrefs: 02937B23

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID: tM7l$`_q$`_q$`_q$`_q
API String ID: 0-3828439082
Opcode ID: e6fcdce5db1fe1312fdb160204c1b0702b57940054177f61e43957fef2a1b4bc
Instruction ID: fa6a3393b8e73b50ca300c988c11059e10dd658eb25c5d0d0df3d64f48660c2a
Opcode Fuzzy Hash: e6fcdce5db1fe1312fdb160204c1b0702b57940054177f61e43957fef2a1b4bc
Instruction Fuzzy Hash: A3B1A374E002199FCB55DFA9D980A9EFBF2FF48300F108629E819AB315DB74A945CF90

Function 02937220 Relevance: 6.5, Strings: 5, Instructions: 235COMMON

Download Yara Rule

Strings

tM7l, xrefs: 02937AD4
`_q, xrefs: 02937C44
`_q, xrefs: 02937CC2
`_q, xrefs: 02937BA2
`_q, xrefs: 02937B23

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID: tM7l$`_q$`_q$`_q$`_q
API String ID: 0-3828439082
Opcode ID: 05e615a96676f18ea867082b738fd88a26ee54d139bacc323d91d5f7578b3782
Instruction ID: b008e438b436c063d206d5442cd50a565308ed976cf32016b64a78e79bacee60
Opcode Fuzzy Hash: 05e615a96676f18ea867082b738fd88a26ee54d139bacc323d91d5f7578b3782
Instruction Fuzzy Hash: 2BB19374E002199FDB55DFA9D980A9DFBF2FF88300F108629E419AB315EB74A945CF90

Function 02937A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

tM7l, xrefs: 02937AD4
`_q, xrefs: 02937C44
`_q, xrefs: 02937CC2
`_q, xrefs: 02937BA2
`_q, xrefs: 02937B23

Memory Dump Source

Source File: 0000000B.00000002.2050789975.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2930000_powershell.jbxd

Similarity

API ID:
String ID: tM7l$`_q$`_q$`_q$`_q
API String ID: 0-3828439082
Opcode ID: ced30199f74ec0daf7f0767ca13530e355674053d01165301a6840003b586348
Instruction ID: b18ba278262b1e21ca11728f4b701cd86bfbbdd73d4b5b4423eb4e16581f4b72
Opcode Fuzzy Hash: ced30199f74ec0daf7f0767ca13530e355674053d01165301a6840003b586348
Instruction Fuzzy Hash: 04B19574E002199FCB55DFA9D980A9EFBF2FF48300F108629E419AB315DB74A945CF90

Function 046D1EF0 Relevance: 6.3, Strings: 5, Instructions: 87COMMON

Download Yara Rule

Strings

tP^q, xrefs: 046D1FDF
J8l, xrefs: 046D200B
J8l, xrefs: 046D1FA1
845l, xrefs: 046D1F6C
4'^q, xrefs: 046D1F89

Memory Dump Source

Source File: 0000000B.00000002.2054364991.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_46d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$845l$tP^q$J8l$J8l
API String ID: 0-3093194727
Opcode ID: 52a3754433106b19dad7ab700300fbcb9b052ba1c793d42444ecf586a148514a
Instruction ID: 00f3f44fc0a5915c2e7e7200202199ad6ec0d939205d414a26fe25d539eed1f7
Opcode Fuzzy Hash: 52a3754433106b19dad7ab700300fbcb9b052ba1c793d42444ecf586a148514a
Instruction Fuzzy Hash: 8D21EE71F00201DFDB288E408451BA6BBE2AFA6710F1880A6D9045F351F3B2F882CBA1

Function 046D1EF8 Relevance: 6.3, Strings: 5, Instructions: 81COMMON

Download Yara Rule

Strings

tP^q, xrefs: 046D1FDF
J8l, xrefs: 046D200B
J8l, xrefs: 046D1FA1
845l, xrefs: 046D1F6C
4'^q, xrefs: 046D1F89

Memory Dump Source

Source File: 0000000B.00000002.2054364991.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_46d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$845l$tP^q$J8l$J8l
API String ID: 0-3093194727
Opcode ID: 8ff452f400838085c148a5e53867299c6ec57b5826641791c7f6274b55539491
Instruction ID: 8030f6650f0ab55c5b1980a965d6d5d1a9be67a4fa71e3e7ebd1e0ee237c037d
Opcode Fuzzy Hash: 8ff452f400838085c148a5e53867299c6ec57b5826641791c7f6274b55539491
Instruction Fuzzy Hash: E721DE75F00205DFDB288E44C555BA6FBE2AFA6710F1880A6D9145F351F3B6F881CBA1

Function 046D0309 Relevance: 6.3, Strings: 5, Instructions: 44COMMON

Download Yara Rule

Strings

T, xrefs: 046D0320
4'^q, xrefs: 046D0373
$^q, xrefs: 046D0352
4'^q, xrefs: 046D037F
$^q, xrefs: 046D035E

Memory Dump Source

Source File: 0000000B.00000002.2054364991.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_46d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$T$$^q$$^q
API String ID: 0-443512503
Opcode ID: 35ef7c98f036d0c495ae79eab5aaa6cc9ca7a73f7f2deca059eeb9d551f848d5
Instruction ID: 60a8b72743749eda6e22ad774da13563f253d3d0598d674020f0d5cd4e603430
Opcode Fuzzy Hash: 35ef7c98f036d0c495ae79eab5aaa6cc9ca7a73f7f2deca059eeb9d551f848d5
Instruction Fuzzy Hash: 0501DB20B093958FC72B16281C241956FB25FC2908F1E44E7D141DF397DE199D4E87A7

Function 046D5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 046D5800
$^q, xrefs: 046D57C6
$^q, xrefs: 046D57F4
$^q, xrefs: 046D57AA

Memory Dump Source

Source File: 0000000B.00000002.2054364991.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_46d0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: e158be90093fad695eb1328cac26a15b9497c4257bdbb1ceef53b6b344999b94
Instruction ID: d4957410d6f62358a177b7845b26f40fccce512585c15d196d9f3cea1c22d7ff
Opcode Fuzzy Hash: e158be90093fad695eb1328cac26a15b9497c4257bdbb1ceef53b6b344999b94
Instruction Fuzzy Hash: 6B214731F00365ABDB38593A9841B27B7D6ABD0711F24883AE50BCF785FD36E8418365

Function 046D2109 Relevance: 5.0, Strings: 4, Instructions: 44COMMON

Download Yara Rule

Strings

J8l, xrefs: 046D214A
$^q, xrefs: 046D2166
$^q, xrefs: 046D2172
J8l, xrefs: 046D2156

Memory Dump Source

Source File: 0000000B.00000002.2054364991.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_46d0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$J8l$J8l
API String ID: 0-1806373838
Opcode ID: 439b6861c2364bdebef65134f1630378055f58f7a1ddb94103c6f85686ff1436
Instruction ID: c68c1f2b50cd1a0aa3e70d4755e13cbae1ae635155be6bcaf49e8f6bdb66f430
Opcode Fuzzy Hash: 439b6861c2364bdebef65134f1630378055f58f7a1ddb94103c6f85686ff1436
Instruction Fuzzy Hash: D101DF31E0A3848FC32247684C301567FB66FD6A0071984E7C680DF36BEA299C0AC3A6

Analysis Process: apihost.exePID: 7884, Parent PID: 2800COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	401
Total number of Limit Nodes:	33

Executed Functions

Function 059F16C0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000037,00000000,00000000,03604164,026AFF60,?,00000000,?,00000000,00000000), ref: 059F1877

Strings

Hbq, xrefs: 059F1760

Memory Dump Source

Source File: 00000010.00000002.3205222910.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_59f0000_apihost.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: Hbq
API String ID: 2492992576-1245868
Opcode ID: a7f4b55345f5161e26a8ff5786b8ba9f87ef6d6b1c3091b8cd94543a344d33da
Instruction ID: 6d863e146ed34f61388dd383e78c86f2dd1a47fa81620c710ca43deee146c850
Opcode Fuzzy Hash: a7f4b55345f5161e26a8ff5786b8ba9f87ef6d6b1c3091b8cd94543a344d33da
Instruction Fuzzy Hash: 39518E347046208FD718EB29D554B2E77BABFC5A14F1584AAE50ACB3A5CF74EC02DB90

Function 04B2D418 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 04B2D67E

Memory Dump Source

Source File: 00000010.00000002.3197604869.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4b20000_apihost.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ae6f30a339d744d0c9892843388a9858dc9b5cdfad41906a893b8bb3802200ab
Instruction ID: 21d1325f14afda6ad2908c616046fd81b8c109f09e09d84c99767f85b8dc947d
Opcode Fuzzy Hash: ae6f30a339d744d0c9892843388a9858dc9b5cdfad41906a893b8bb3802200ab
Instruction Fuzzy Hash: 0D815470A00B158FD724DF2AD15479ABBF5FF88304F008A6ED49A97A50DB74F949CB90

Function 059F1B40 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 059F3F82

Memory Dump Source

Source File: 00000010.00000002.3205222910.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_59f0000_apihost.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6021d89f3922bd708bd228c5c107b718fa9099f714c7be5740f61d4fd0e6535d
Instruction ID: ef6ac8be1172d0214e785cc28b7c3ebc1cae8ee4a03d0c634cba6a21d7a5c4b8
Opcode Fuzzy Hash: 6021d89f3922bd708bd228c5c107b718fa9099f714c7be5740f61d4fd0e6535d
Instruction Fuzzy Hash: F351D2B1D00349EFDB14CFA9C884ADEBBB5FF48310F24852AE919AB210D7759981CF90

Function 059F3E64 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 059F3F82

Memory Dump Source

Source File: 00000010.00000002.3205222910.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_59f0000_apihost.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1f28ffe179bc6e22104181c81bb7100e5cb8759555ffd0a5dab2dfafd0c40ba6
Instruction ID: 4ed1d15280cd252b3bb8c70b5a2fbd6018c50cf5fbb0f27a0d8dbaaa9f8ab592
Opcode Fuzzy Hash: 1f28ffe179bc6e22104181c81bb7100e5cb8759555ffd0a5dab2dfafd0c40ba6
Instruction Fuzzy Hash: 0C51F0B1D00349EFDB14CFA9C884ADDFBB5BF88300F24852AE919AB250D7749981CF90

Function 059F1C94 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 059F6671

Memory Dump Source

Source File: 00000010.00000002.3205222910.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_59f0000_apihost.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: a7c9ce04288f8a7cfeea9d98a5696ac85e8e2cd9dfd01e81227dc81113d37e13
Instruction ID: 7b6f23529d3c0e87eab6403a044dfaa00d08b2e1278e692991bec25be0d0197b
Opcode Fuzzy Hash: a7c9ce04288f8a7cfeea9d98a5696ac85e8e2cd9dfd01e81227dc81113d37e13
Instruction Fuzzy Hash: 4F4116B5A00309CFDB14CF99C488AAABBF5FF88314F24C499D519AB321D775A841CFA4

Function 059FF898 Relevance: 1.6, APIs: 1, Instructions: 87
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 059FF967

Memory Dump Source

Source File: 00000010.00000002.3205222910.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_59f0000_apihost.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: d7d9f03745298ec2b5688581c7989dd886d67f27e24e5afad2ea66628eef9aca
Instruction ID: 842c63b92559b8d8253b5bf0006e4d8e39ba042bffcc452acec362d18ee30fe8
Opcode Fuzzy Hash: d7d9f03745298ec2b5688581c7989dd886d67f27e24e5afad2ea66628eef9aca
Instruction Fuzzy Hash: 8D31C071905388DFCB12CFA9D844ADEBFF4FF49310F18809AE654AB262C3359854CBA5

Function 04B2E1A0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04B2FCD6,?,?,?,?,?), ref: 04B2FD97

Memory Dump Source

Source File: 00000010.00000002.3197604869.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4b20000_apihost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b7575a7aef7bf2434c6956a11f05a35b632449b468ab7f2310c9d3c2f1716470
Instruction ID: 451da719bf850277da336f02f3f114ebbed0e67d42023e81737b57b5ee4e95e6
Opcode Fuzzy Hash: b7575a7aef7bf2434c6956a11f05a35b632449b468ab7f2310c9d3c2f1716470
Instruction Fuzzy Hash: 1C21E4B5900259EFDB10CFAAD584AEEFFF4EB48310F14845AE918A7310D374A950DFA5

Function 04B2FD09 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04B2FCD6,?,?,?,?,?), ref: 04B2FD97

Memory Dump Source

Source File: 00000010.00000002.3197604869.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4b20000_apihost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3995280d5d9632aa8045b3fe6dcb9ff0ec1bd835c124ba65b37ec697f5dd6616
Instruction ID: be53cc7a2f86319bb8e08ffcecce0d8408b16d5a25b00c3835121eb823a1d88c
Opcode Fuzzy Hash: 3995280d5d9632aa8045b3fe6dcb9ff0ec1bd835c124ba65b37ec697f5dd6616
Instruction Fuzzy Hash: 1C21E3B5900258AFDB10CFAAD584ADEFFF8EB48320F14845AE958A7250C374A944DFA5

Function 059FD520 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextW.USER32(?,00000000), ref: 059FD592

Memory Dump Source

Source File: 00000010.00000002.3205222910.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_59f0000_apihost.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 429223e24d2b61c660f42a051648c65b64e01cb4f3b4e9f0007b57744406b4ce
Instruction ID: e0cb96bff554e5bab170c514825b56136249511ec47d7d6f4e6d08c89b490b57
Opcode Fuzzy Hash: 429223e24d2b61c660f42a051648c65b64e01cb4f3b4e9f0007b57744406b4ce
Instruction Fuzzy Hash: 1B2133B28003498FDB10CF9AC444BDEBBF4EB88324F14802AD968A7250D338A645CFA5

Function 059FD528 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextW.USER32(?,00000000), ref: 059FD592

Memory Dump Source

Source File: 00000010.00000002.3205222910.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_59f0000_apihost.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 45ba523f87d2e2ec1ecb905031c5d91eff72bfdfe1ea508423bb91fc9fe8c94d
Instruction ID: 21ac0e693aed88e78fba77841cfa780254ceba029b6b15488f4248ebaea991fe
Opcode Fuzzy Hash: 45ba523f87d2e2ec1ecb905031c5d91eff72bfdfe1ea508423bb91fc9fe8c94d
Instruction Fuzzy Hash: 4D1112B2C003498FDB10CF9AC444BDEFBF8EB88324F14842AD869A7250D378A545CFA5

Function 059FF8F8 Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 059FF967

Memory Dump Source

Source File: 00000010.00000002.3205222910.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_59f0000_apihost.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: d94ef0e8686c41db86701ad07a116c81984379a0806f1eac824c683b885a88c0
Instruction ID: 81a819f5d06a42e0ccde88906fda1f3ad4b02ef9e76cdecc83969c22edb24d2b
Opcode Fuzzy Hash: d94ef0e8686c41db86701ad07a116c81984379a0806f1eac824c683b885a88c0
Instruction Fuzzy Hash: BE1149B1800359DFDB10CFAAD844BDEBFF8EB48320F14841AE554A7210C375A990CFA4

Function 04B2D618 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 04B2D67E

Memory Dump Source

Source File: 00000010.00000002.3197604869.0000000004B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4b20000_apihost.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0bcf384056a12600eddb89f21bd8fc1d43a9bc5ca164d538d33a7eb6401daf36
Instruction ID: 20b00a1ed34bcf83a9f8a1a4aa3377f8d57b6d53cffcc1bcc4fd93e97586fcb5
Opcode Fuzzy Hash: 0bcf384056a12600eddb89f21bd8fc1d43a9bc5ca164d538d33a7eb6401daf36
Instruction Fuzzy Hash: 111110B6C003598FCB10CF9AC544BDEFBF8EB88324F14846AD418A7210C379A645CFA5

Function 059FE460 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 059FFCCD

Memory Dump Source

Source File: 00000010.00000002.3205222910.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_59f0000_apihost.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 21ef2c351bfd21f3c8736b97e55e320624db670c6ecabdcd1bae7606f29e09a8
Instruction ID: f10a46aff1a6c20ae9d2a31f9d5a597e32278694a63f1898db7d90677aefb930
Opcode Fuzzy Hash: 21ef2c351bfd21f3c8736b97e55e320624db670c6ecabdcd1bae7606f29e09a8
Instruction Fuzzy Hash: 621122B5800358DFDB10DF9AC448BDEBBF8EB48324F10845AE918A7200C374A980CFA4

Function 059FFC68 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 059FFCCD

Memory Dump Source

Source File: 00000010.00000002.3205222910.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_59f0000_apihost.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 28e136f0bfd17270511e09b3190cdc6fa30e7b227508dd0c492eb8c1a0214ce6
Instruction ID: 4402641149a709dc7064669456e51040863a34354f2c08f9a82c995afbf3bce3
Opcode Fuzzy Hash: 28e136f0bfd17270511e09b3190cdc6fa30e7b227508dd0c492eb8c1a0214ce6
Instruction Fuzzy Hash: 251122B58003589FCB10DF99D485BDEBFF8FB48324F14841AD958A7200C378A580CFA1

Function 059F1B7C Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 059F4115

Memory Dump Source

Source File: 00000010.00000002.3205222910.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_59f0000_apihost.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 305946d0b96ca12fc11784c727ce52bb2301995b73f26b29a072ea893cd23358
Instruction ID: 3ee91b32744736921f552902671ff65f270dc18c76038d6ed31e89f6dba37f72
Opcode Fuzzy Hash: 305946d0b96ca12fc11784c727ce52bb2301995b73f26b29a072ea893cd23358
Instruction Fuzzy Hash: 631136B5900348DFDB20DF99C545BDEBBF8EB58324F10845AD918A7300C374A944CFA5

Function 059F40B1 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 059F4115

Memory Dump Source

Source File: 00000010.00000002.3205222910.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_59f0000_apihost.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 246a0273435d52b0a639128c7026d43d168cecaaf99c4cf07d558c27b7eb7e1f
Instruction ID: f9993f6c5cfd29372885e4efce3b255bf921c1b960a528b0e89a94378657e3d7
Opcode Fuzzy Hash: 246a0273435d52b0a639128c7026d43d168cecaaf99c4cf07d558c27b7eb7e1f
Instruction Fuzzy Hash: 161115B5900248DFDB10DF99D585BDEFBF8EB98324F20845AD958A7300D378A944CFA5

Function 05B621B0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05B6319D

Memory Dump Source

Source File: 00000010.00000002.3206166984.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5b60000_apihost.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 592d5c7bbd8384d62c0bb00d403dddbf42c8c6e0b54e01758ca5609692304a12
Instruction ID: 5446a23ed5fcdd453d552cba3727769acc89be6b32b585324706046f82d76c07
Opcode Fuzzy Hash: 592d5c7bbd8384d62c0bb00d403dddbf42c8c6e0b54e01758ca5609692304a12
Instruction Fuzzy Hash: 851142B1900348CFDB20DF9AD448BDEBBF4EB48320F208899E519A7210C378A944CFA4

Function 05B63140 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05B6319D

Memory Dump Source

Source File: 00000010.00000002.3206166984.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5b60000_apihost.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: adbe7940690107667c156c1514b5063611506e75a8fa3e867e68880245f15807
Instruction ID: 589f4bac7533877f8f8cdf4729589f12d7eaff53a4b8bc1f4e6fc95c8510b250
Opcode Fuzzy Hash: adbe7940690107667c156c1514b5063611506e75a8fa3e867e68880245f15807
Instruction Fuzzy Hash: B61142B19002488FCB20DFAAD488BCEFFF4EB48320F24885AD559A7250C378A544CFA4

Function 059FD5D0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 059FD592

Memory Dump Source

Source File: 00000010.00000002.3205222910.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_59f0000_apihost.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: afa6e28a38a04854609ebd4dcb5c5a67d526db51deb0a8faadf5bfe4d14aee9c
Instruction ID: 43891fe2d3bb67ca6bc41aa29427329814154204ff2211d119e2641fc13fe592
Opcode Fuzzy Hash: afa6e28a38a04854609ebd4dcb5c5a67d526db51deb0a8faadf5bfe4d14aee9c
Instruction Fuzzy Hash: B0018CB29007058FEB10DF49C408BEEBBF4EB99329F248059E194A6251D338A549DF21

Function 0244D618 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3189787981.000000000244D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0244D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_244d000_apihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ba0395c05b19de35b7ad1cbbea199e70536bc35dcf9cfab5b637af2b1b97ac
Instruction ID: 052d7555c809d6d870c3d6a14af84df17ae523a9618ec48eaf6fe22222e3b2a0
Opcode Fuzzy Hash: 63ba0395c05b19de35b7ad1cbbea199e70536bc35dcf9cfab5b637af2b1b97ac
Instruction Fuzzy Hash: 2A212271900200DFEB05DF14DAC0B2BBF65FB98B14F20816AE80E4B35ACB36D456CBA1

Function 0245D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3190107592.000000000245D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0245D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_245d000_apihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fc5ba9a1c0f10c42bc204a2fa9c6737ee833a369af285be066449d719041fd2
Instruction ID: 15dfb6fc25d9074184ac8f469337d057dd13812bf851e0c9bddc3712eaddd438
Opcode Fuzzy Hash: 5fc5ba9a1c0f10c42bc204a2fa9c6737ee833a369af285be066449d719041fd2
Instruction Fuzzy Hash: 2721F271A04200DFDB14DF14D9C4B26BBA5EF84B18F20C56ADD8A4B357C33AD447CA61

Function 0245D005 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3190107592.000000000245D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0245D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_245d000_apihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf7223398e2644f6ec235229510abdc32e32ba3a50a3f4759d1739de75ea5d6
Instruction ID: 976cf76fa32ff7e4fbe08fdaaf6b40a09e18760c509b14c28ca2c394b98633d8
Opcode Fuzzy Hash: aaf7223398e2644f6ec235229510abdc32e32ba3a50a3f4759d1739de75ea5d6
Instruction Fuzzy Hash: 5C217475508380DFDB06CF14D594716BF71EF46214F24C5DAD8894F2A7C33A9806CB62

Function 0244D006 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3189787981.000000000244D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0244D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_244d000_apihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 250a619e2b3009f50bb3ca728ce95248fce129f22bb28bdaf0a0de7d7eb1e981
Instruction ID: 2bc1944be9f0fcfdafea31f5260407ba738739488fdfeb818285220a5e982d19
Opcode Fuzzy Hash: 250a619e2b3009f50bb3ca728ce95248fce129f22bb28bdaf0a0de7d7eb1e981
Instruction Fuzzy Hash: 7011AA2150E3C08FE7578B3588A4351BF70AF43224F1E84DBD988CF1A7C6695849CB62

Function 0244D613 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3189787981.000000000244D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0244D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_244d000_apihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: f27eef7926958c7da0f18651b7fbb48ee4c459ab7d03a932a19b01a24268ac6d
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 3D11AF76904280CFDB16CF14D5C4B16BF61FB94714F24C5AAD8090B656C336D45ACBA1

Function 0244D07D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3189787981.000000000244D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0244D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_244d000_apihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b3a6e9291b70bc662109ea69ee982acf789df48676ce636d6384cb2709bb34
Instruction ID: 38b4a9cc10f7da45f9c3cc6abd4b35273ee59a2337aa8fa0a0288293b88a4699
Opcode Fuzzy Hash: 62b3a6e9291b70bc662109ea69ee982acf789df48676ce636d6384cb2709bb34
Instruction Fuzzy Hash: 6D018431409344DAF7105A25C984767BF98EF41628F18C56BED094B296CB79A882CA71

Function 0244D07C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3189787981.000000000244D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0244D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_244d000_apihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a699db857d14e6f63762324af6ab89569f3c902f0d382985c2db2bbf06f38a
Instruction ID: 530bda529500a262183e7bbf67ffed2b762dd5ca37e9b329111d02884a09f2c5
Opcode Fuzzy Hash: 39a699db857d14e6f63762324af6ab89569f3c902f0d382985c2db2bbf06f38a
Instruction Fuzzy Hash: FAF06271405344DAF7108A16DC84B63FFA8EF41638F18C45AED484B296C779A845CAB1

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Exploits

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Ziraat_Bankasi_S_d0689f373fee26512ceb5c5541da33c5d5750_5a9513ef_e6184385-f165-4f2e-80ac-ac0e77459ee6\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C3F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3009.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3113.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Microsofts.exe

C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3mbxkor0.xjt.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ewehvka.qzs.ps1

Windows Analysis Report
Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre