Edit tour

Windows Analysis Report
2510-hamil siparis formu.exe

Overview

General Information

Sample name:	2510-hamil siparis formu.exe
Analysis ID:	1634241
MD5:	2cf5dfe798dd70a1dce3d25276c37c9c
SHA1:	de92ebfc7338fd568ab65def19bbf24594326b99
SHA256:	dc02668e7a6cb50d282035edd013e20165cb3b75e1eee8411df902548811f4d2
Tags:	exegeoSnakeKeyloggerTURuser-abuse_ch
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Binary is likely a compiled AutoIt script file

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Sample uses string decryption to hide its real strings

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

2510-hamil siparis formu.exe (PID: 7032 cmdline: "C:\Users\user\Desktop\2510-hamil siparis formu.exe" MD5: 2CF5DFE798DD70A1DCE3D25276C37C9C)

RegSvcs.exe (PID: 7080 cmdline: "C:\Users\user\Desktop\2510-hamil siparis formu.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7592856228:AAGPsEsqfkbwJN3hxZVu8_ln89aZYCFj1Pg/sendMessage?chat_id=7688249613", "Token": "7592856228:AAGPsEsqfkbwJN3hxZVu8_ln89aZYCFj1Pg", "Chat_id": "7688249613", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.3354697892.0000000002A3B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.3352952277.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.3352952277.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.3352952277.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x148d8:$a1: get_encryptedPassword 0x14bc4:$a2: get_encryptedUsername 0x146e4:$a3: get_timePasswordChanged 0x147df:$a4: get_passwordField 0x148ee:$a5: set_encryptedPassword 0x15f82:$a7: get_logins 0x15ee5:$a10: KeyLoggerEventArgs 0x15b50:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.3352952277.0000000000402000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x198b0:$x1: $%SMTPDV$ 0x18294:$x2: $#TheHashHere%& 0x19858:$x3: %FTPDV$ 0x18234:$x4: $%TelegramDv$ 0x15b50:$x5: KeyLoggerEventArgs 0x15ee5:$x5: KeyLoggerEventArgs 0x1987c:$m2: Clipboard Logs ID 0x19aba:$m2: Screenshot Logs ID 0x19bca:$m2: keystroke Logs ID 0x19ea4:$m3: SnakePW 0x19a92:$m4: \SnakeKeylogger\
00000000.00000002.905588694.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.905588694.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.905588694.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ad8:$a1: get_encryptedPassword 0x14dc4:$a2: get_encryptedUsername 0x148e4:$a3: get_timePasswordChanged 0x149df:$a4: get_passwordField 0x14aee:$a5: set_encryptedPassword 0x16182:$a7: get_logins 0x160e5:$a10: KeyLoggerEventArgs 0x15d50:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.905588694.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c466:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b698:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bacb:$a4: \Orbitum\User Data\Default\Login Data 0x1cb0a:$a5: \Kometa\User Data\Default\Login Data
00000000.00000002.905588694.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156cd:$s1: UnHook 0x156d4:$s2: SetHook 0x156dc:$s3: CallNextHook 0x156e9:$s4: _hook
00000000.00000002.905588694.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ab0:$x1: $%SMTPDV$ 0x18494:$x2: $#TheHashHere%& 0x19a58:$x3: %FTPDV$ 0x18434:$x4: $%TelegramDv$ 0x15d50:$x5: KeyLoggerEventArgs 0x160e5:$x5: KeyLoggerEventArgs 0x19a7c:$m2: Clipboard Logs ID 0x19cba:$m2: Screenshot Logs ID 0x19dca:$m2: keystroke Logs ID 0x1a0a4:$m3: SnakePW 0x19c92:$m4: \SnakeKeylogger\
00000001.00000002.3354697892.0000000002871000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: 2510-hamil siparis formu.exe PID: 7032	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 2510-hamil siparis formu.exe PID: 7032	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: 2510-hamil siparis formu.exe PID: 7032	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x20bb40:$a1: get_encryptedPassword 0x20be22:$a2: get_encryptedUsername 0x20b956:$a3: get_timePasswordChanged 0x20ba51:$a4: get_passwordField 0x20bb56:$a5: set_encryptedPassword 0x20e032:$a7: get_logins 0x20df95:$a10: KeyLoggerEventArgs 0x20dc00:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: 2510-hamil siparis formu.exe PID: 7032	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x20dc00:$x5: KeyLoggerEventArgs 0x20df95:$x5: KeyLoggerEventArgs 0x20e7e3:$x5: KeyLoggerEventArgs 0x20eb44:$x5: KeyLoggerEventArgs 0x2101c1:$m2: Clipboard Logs ID 0x2102c7:$m2: Screenshot Logs ID 0x21031d:$m2: keystroke Logs ID 0x210452:$m3: SnakePW 0x2102b3:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 7080	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7080	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 7080	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5bd89:$a1: get_encryptedPassword 0x5c06b:$a2: get_encryptedUsername 0x5bb9f:$a3: get_timePasswordChanged 0x5bc9a:$a4: get_passwordField 0x5bd9f:$a5: set_encryptedPassword 0x5e27b:$a7: get_logins 0x5e1de:$a10: KeyLoggerEventArgs 0x5de49:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7080	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x5de49:$x5: KeyLoggerEventArgs 0x5e1de:$x5: KeyLoggerEventArgs 0x5ea2c:$x5: KeyLoggerEventArgs 0x5ed8d:$x5: KeyLoggerEventArgs 0x6040a:$m2: Clipboard Logs ID 0x60510:$m2: Screenshot Logs ID 0x60566:$m2: keystroke Logs ID 0x6069b:$m3: SnakePW 0x604fc:$m4: \SnakeKeylogger\
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.2510-hamil siparis formu.exe.ee0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.2510-hamil siparis formu.exe.ee0000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.2510-hamil siparis formu.exe.ee0000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cd8:$a1: get_encryptedPassword 0x12fc4:$a2: get_encryptedUsername 0x12ae4:$a3: get_timePasswordChanged 0x12bdf:$a4: get_passwordField 0x12cee:$a5: set_encryptedPassword 0x14382:$a7: get_logins 0x142e5:$a10: KeyLoggerEventArgs 0x13f50:$a11: KeyLoggerEventArgsEventHandler
0.2.2510-hamil siparis formu.exe.ee0000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a666:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19898:$a3: \Google\Chrome\User Data\Default\Login Data 0x19ccb:$a4: \Orbitum\User Data\Default\Login Data 0x1ad0a:$a5: \Kometa\User Data\Default\Login Data
0.2.2510-hamil siparis formu.exe.ee0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138cd:$s1: UnHook 0x138d4:$s2: SetHook 0x138dc:$s3: CallNextHook 0x138e9:$s4: _hook
0.2.2510-hamil siparis formu.exe.ee0000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17cb0:$x1: $%SMTPDV$ 0x16694:$x2: $#TheHashHere%& 0x17c58:$x3: %FTPDV$ 0x16634:$x4: $%TelegramDv$ 0x13f50:$x5: KeyLoggerEventArgs 0x142e5:$x5: KeyLoggerEventArgs 0x17c7c:$m2: Clipboard Logs ID 0x17eba:$m2: Screenshot Logs ID 0x17fca:$m2: keystroke Logs ID 0x182a4:$m3: SnakePW 0x17e92:$m4: \SnakeKeylogger\
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ad8:$a1: get_encryptedPassword 0x14dc4:$a2: get_encryptedUsername 0x148e4:$a3: get_timePasswordChanged 0x149df:$a4: get_passwordField 0x14aee:$a5: set_encryptedPassword 0x16182:$a7: get_logins 0x160e5:$a10: KeyLoggerEventArgs 0x15d50:$a11: KeyLoggerEventArgsEventHandler
1.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c466:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b698:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bacb:$a4: \Orbitum\User Data\Default\Login Data 0x1cb0a:$a5: \Kometa\User Data\Default\Login Data
1.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156cd:$s1: UnHook 0x156d4:$s2: SetHook 0x156dc:$s3: CallNextHook 0x156e9:$s4: _hook
1.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ab0:$x1: $%SMTPDV$ 0x18494:$x2: $#TheHashHere%& 0x19a58:$x3: %FTPDV$ 0x18434:$x4: $%TelegramDv$ 0x15d50:$x5: KeyLoggerEventArgs 0x160e5:$x5: KeyLoggerEventArgs 0x19a7c:$m2: Clipboard Logs ID 0x19cba:$m2: Screenshot Logs ID 0x19dca:$m2: keystroke Logs ID 0x1a0a4:$m3: SnakePW 0x19c92:$m4: \SnakeKeylogger\
0.2.2510-hamil siparis formu.exe.ee0000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.2510-hamil siparis formu.exe.ee0000.0.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.2510-hamil siparis formu.exe.ee0000.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ad8:$a1: get_encryptedPassword 0x14dc4:$a2: get_encryptedUsername 0x148e4:$a3: get_timePasswordChanged 0x149df:$a4: get_passwordField 0x14aee:$a5: set_encryptedPassword 0x16182:$a7: get_logins 0x160e5:$a10: KeyLoggerEventArgs 0x15d50:$a11: KeyLoggerEventArgsEventHandler
0.2.2510-hamil siparis formu.exe.ee0000.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c466:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b698:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bacb:$a4: \Orbitum\User Data\Default\Login Data 0x1cb0a:$a5: \Kometa\User Data\Default\Login Data
0.2.2510-hamil siparis formu.exe.ee0000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156cd:$s1: UnHook 0x156d4:$s2: SetHook 0x156dc:$s3: CallNextHook 0x156e9:$s4: _hook
0.2.2510-hamil siparis formu.exe.ee0000.0.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ab0:$x1: $%SMTPDV$ 0x18494:$x2: $#TheHashHere%& 0x19a58:$x3: %FTPDV$ 0x18434:$x4: $%TelegramDv$ 0x15d50:$x5: KeyLoggerEventArgs 0x160e5:$x5: KeyLoggerEventArgs 0x19a7c:$m2: Clipboard Logs ID 0x19cba:$m2: Screenshot Logs ID 0x19dca:$m2: keystroke Logs ID 0x1a0a4:$m3: SnakePW 0x19c92:$m4: \SnakeKeylogger\
Click to see the 13 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T21:07:58.620153+0100	2803305	3	Unknown Traffic	192.168.2.7	49683	104.21.80.1	443	TCP
2025-03-10T21:08:10.319180+0100	2803305	3	Unknown Traffic	192.168.2.7	49692	104.21.80.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T21:07:53.838421+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49681	193.122.6.168	80	TCP
2025-03-10T21:07:56.525944+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49681	193.122.6.168	80	TCP
2025-03-10T21:07:59.463450+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49684	193.122.6.168	80	TCP
2025-03-10T21:08:02.403403+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49686	193.122.6.168	80	TCP
2025-03-10T21:08:05.260283+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49688	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 2510-hamil siparis formu.exe

Avira: detected

Found malware configuration

Source: 00000001.00000002.3354697892.0000000002871000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7592856228:AAGPsEsqfkbwJN3hxZVu8_ln89aZYCFj1Pg/sendMessage?chat_id=7688249613", "Token": "7592856228:AAGPsEsqfkbwJN3hxZVu8_ln89aZYCFj1Pg", "Chat_id": "7688249613", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: 2510-hamil siparis formu.exe	ReversingLabs: Detection: 55%
Source: 2510-hamil siparis formu.exe	Virustotal: Detection: 43%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 1.2.RegSvcs.exe.400000.0.unpack	String decryptor:
Source: 1.2.RegSvcs.exe.400000.0.unpack	String decryptor: 7592856228:AAGPsEsqfkbwJN3hxZVu8_ln89aZYCFj1Pg
Source: 1.2.RegSvcs.exe.400000.0.unpack	String decryptor: 7688249613

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: 2510-hamil siparis formu.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.7:49682 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: 2510-hamil siparis formu.exe, 00000000.00000003.899936626.0000000003800000.00000004.00001000.00020000.00000000.sdmp, 2510-hamil siparis formu.exe, 00000000.00000003.900198277.0000000003660000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 2510-hamil siparis formu.exe, 00000000.00000003.899936626.0000000003800000.00000004.00001000.00020000.00000000.sdmp, 2510-hamil siparis formu.exe, 00000000.00000003.900198277.0000000003660000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F7445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F7445A
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F7C6D1 FindFirstFileW,FindClose,	0_2_00F7C6D1
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F7C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00F7C75C
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F7EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F7EF95
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F7F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F7F0F2
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F7F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F7F3F3
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F737EF
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F73B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F73B12
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F7BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F7BCBC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0280F1F6h	1_2_0280F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0280FB80h	1_2_0280F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_0280E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_0280EB5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_0280ED3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 062C8D4Dh	1_2_062C8A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 062C5CC9h	1_2_062C5A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 062C6121h	1_2_062C5E78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_062C3AD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 062C6579h	1_2_062C62D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 062C69D1h	1_2_062C6728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_062C37B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 062C6E29h	1_2_062C6B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	1_2_062C37C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 062C7281h	1_2_062C6FD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 062C02E9h	1_2_062C0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 062C7702h	1_2_062C7458
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 062C7B59h	1_2_062C78B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 062C0741h	1_2_062C0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 062C0B99h	1_2_062C08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 062C7FB1h	1_2_062C7D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 062C8409h	1_2_062C8160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 062C0FF1h	1_2_062C0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 062C5849h	1_2_062C55A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 062C8861h	1_2_062C85B8

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49684 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49686 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49688 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49681 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49683 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49692 -> 104.21.80.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.7:49682 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F822EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00F822EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000001.00000002.3354697892.0000000002A1F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.00000000029D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.0000000002935000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.00000000029C8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.00000000029E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000001.00000002.3354697892.0000000002A1F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.00000000029D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.00000000029FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.0000000002935000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.00000000029C8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.0000000002929000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.0000000002978000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.00000000029E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000001.00000002.3354697892.0000000002871000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: 2510-hamil siparis formu.exe, 00000000.00000002.905588694.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3352952277.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000001.00000002.3354697892.0000000002A1F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.00000000029D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.00000000029C8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.000000000294D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.00000000029E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000001.00000002.3354697892.0000000002871000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000001.00000002.3354697892.0000000002A1F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.00000000029D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.0000000002935000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.00000000029C8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.0000000002978000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.00000000029E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: 2510-hamil siparis formu.exe, 00000000.00000002.905588694.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.0000000002935000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3352952277.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000001.00000002.3354697892.00000000029E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000001.00000002.3354697892.0000000002A1F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.00000000029D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.0000000002A2D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.00000000029C8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.0000000002978000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.00000000029E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F84164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00F84164

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F84164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00F84164

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F83F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00F83F66

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F7001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00F7001C

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F9CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00F9CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.2510-hamil siparis formu.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.2510-hamil siparis formu.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.2510-hamil siparis formu.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.2510-hamil siparis formu.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.2510-hamil siparis formu.exe.ee0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.2510-hamil siparis formu.exe.ee0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.2510-hamil siparis formu.exe.ee0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.2510-hamil siparis formu.exe.ee0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000001.00000002.3352952277.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.3352952277.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.905588694.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.905588694.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.905588694.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.905588694.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: 2510-hamil siparis formu.exe PID: 7032, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 2510-hamil siparis formu.exe PID: 7032, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 7080, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7080, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00F13B3A
Source: 2510-hamil siparis formu.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 2510-hamil siparis formu.exe, 00000000.00000002.905706940.0000000000FC4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_81f633b9-e
Source: 2510-hamil siparis formu.exe, 00000000.00000002.905706940.0000000000FC4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_5841d872-9
Source: 2510-hamil siparis formu.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c719bac9-9
Source: 2510-hamil siparis formu.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_a24e022b-7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F7A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00F7A1EF

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F68310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00F68310

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F751BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00F751BD

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F1E6A0	0_2_00F1E6A0
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F3D975	0_2_00F3D975
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F1FCE0	0_2_00F1FCE0
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F321C5	0_2_00F321C5
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F462D2	0_2_00F462D2
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F903DA	0_2_00F903DA
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F4242E	0_2_00F4242E
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F325FA	0_2_00F325FA
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F266E1	0_2_00F266E1
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F6E616	0_2_00F6E616
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F4878F	0_2_00F4878F
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F78889	0_2_00F78889
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F90857	0_2_00F90857
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F46844	0_2_00F46844
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F28808	0_2_00F28808
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F3CB21	0_2_00F3CB21
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F46DB6	0_2_00F46DB6
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F26F9E	0_2_00F26F9E
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F23030	0_2_00F23030
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F3F1D9	0_2_00F3F1D9
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F33187	0_2_00F33187
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F11287	0_2_00F11287
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F31484	0_2_00F31484
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F25520	0_2_00F25520
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F37696	0_2_00F37696
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F25760	0_2_00F25760
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F31978	0_2_00F31978
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F49AB5	0_2_00F49AB5
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F97DDB	0_2_00F97DDB
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F3BDA6	0_2_00F3BDA6
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F31D90	0_2_00F31D90
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F23FE0	0_2_00F23FE0
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F1DF00	0_2_00F1DF00
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_01150760	0_2_01150760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0280B328	1_2_0280B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0280F007	1_2_0280F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0280C190	1_2_0280C190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02806108	1_2_02806108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0280C751	1_2_0280C751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0280C470	1_2_0280C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02804AD9	1_2_02804AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0280CA31	1_2_0280CA31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0280BBD3	1_2_0280BBD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02806880	1_2_02806880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02809858	1_2_02809858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0280BEB0	1_2_0280BEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0280B4F3	1_2_0280B4F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0280E517	1_2_0280E517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0280E528	1_2_0280E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02803570	1_2_02803570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C8A10	1_2_062C8A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062CAA60	1_2_062CAA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062CD678	1_2_062CD678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062CB6F0	1_2_062CB6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062CC390	1_2_062CC390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062CD030	1_2_062CD030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062CA410	1_2_062CA410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C9059	1_2_062C9059
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062CB0A8	1_2_062CB0A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062CBD40	1_2_062CBD40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C11A0	1_2_062C11A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062CC9E0	1_2_062CC9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C5A20	1_2_062C5A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C8A04	1_2_062C8A04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C5A12	1_2_062C5A12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C5E68	1_2_062C5E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062CD66A	1_2_062CD66A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C5E78	1_2_062C5E78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062CAA50	1_2_062CAA50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062CB6E1	1_2_062CB6E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C62C0	1_2_062C62C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C62D0	1_2_062C62D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C6728	1_2_062C6728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C3B38	1_2_062C3B38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C671A	1_2_062C671A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C6B72	1_2_062C6B72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C37B0	1_2_062C37B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C6B80	1_2_062C6B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062CC380	1_2_062CC380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C6FC9	1_2_062C6FC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C37C0	1_2_062C37C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C6FD8	1_2_062C6FD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C2C20	1_2_062C2C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062CD020	1_2_062CD020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C4838	1_2_062C4838
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C2C0F	1_2_062C2C0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C0006	1_2_062C0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062CA400	1_2_062CA400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C7448	1_2_062C7448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C0040	1_2_062C0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C7458	1_2_062C7458
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C78B0	1_2_062C78B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C0488	1_2_062C0488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C789F	1_2_062C789F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C0498	1_2_062C0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062CB098	1_2_062CB098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C08E0	1_2_062C08E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C7CF8	1_2_062C7CF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C08F0	1_2_062C08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C0D39	1_2_062C0D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062CBD30	1_2_062CBD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C7D08	1_2_062C7D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C8160	1_2_062C8160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C0D48	1_2_062C0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C8150	1_2_062C8150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C85A8	1_2_062C85A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C55A0	1_2_062C55A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C85B8	1_2_062C85B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C1191	1_2_062C1191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C5592	1_2_062C5592
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062CC9D0	1_2_062CC9D0

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: String function: 00F30AE3 appears 70 times
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: String function: 00F38900 appears 42 times
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: String function: 00F17DE1 appears 35 times

Source: 2510-hamil siparis formu.exe, 00000000.00000003.902253584.00000000037B3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 2510-hamil siparis formu.exe
Source: 2510-hamil siparis formu.exe, 00000000.00000003.903281084.000000000395D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 2510-hamil siparis formu.exe
Source: 2510-hamil siparis formu.exe, 00000000.00000002.905588694.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs 2510-hamil siparis formu.exe

Source: 2510-hamil siparis formu.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.2510-hamil siparis formu.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.2510-hamil siparis formu.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.2510-hamil siparis formu.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.2510-hamil siparis formu.exe.ee0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.2510-hamil siparis formu.exe.ee0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.2510-hamil siparis formu.exe.ee0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.2510-hamil siparis formu.exe.ee0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.2510-hamil siparis formu.exe.ee0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000001.00000002.3352952277.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.3352952277.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.905588694.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.905588694.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.905588694.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.905588694.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: 2510-hamil siparis formu.exe PID: 7032, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 2510-hamil siparis formu.exe PID: 7032, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 7080, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7080, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.2510-hamil siparis formu.exe.ee0000.0.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.2510-hamil siparis formu.exe.ee0000.0.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.2510-hamil siparis formu.exe.ee0000.0.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.2510-hamil siparis formu.exe.ee0000.0.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.2510-hamil siparis formu.exe.ee0000.0.raw.unpack, -.cs

Base64 encoded string: 'nx78impMlIA4vzXx3RQ9eUQN2sHJqGZBELGG4SA+N4wiDRHw8c+7MZxtpF8q/a7e'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/2

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F7A06A GetLastError,FormatMessageW,

0_2_00F7A06A

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F681CB AdjustTokenPrivileges,CloseHandle,		0_2_00F681CB
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F687E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00F687E1

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F7B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00F7B3FB

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F8EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00F8EE0D

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F883BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00F883BB

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F14E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F14E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

File created: C:\Users\user~1\AppData\Local\Temp\aut2B25.tmp

Jump to behavior

Source: 2510-hamil siparis formu.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.3354697892.0000000002AC4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3355603010.00000000038FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.0000000002AF9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.0000000002AEC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3354697892.0000000002AB6000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 2510-hamil siparis formu.exe	ReversingLabs: Detection: 55%
Source: 2510-hamil siparis formu.exe	Virustotal: Detection: 43%

Source: unknown	Process created: C:\Users\user\Desktop\2510-hamil siparis formu.exe "C:\Users\user\Desktop\2510-hamil siparis formu.exe"
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\2510-hamil siparis formu.exe"
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\2510-hamil siparis formu.exe"	Jump to behavior

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 2510-hamil siparis formu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 2510-hamil siparis formu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 2510-hamil siparis formu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 2510-hamil siparis formu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 2510-hamil siparis formu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 2510-hamil siparis formu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 2510-hamil siparis formu.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: 2510-hamil siparis formu.exe, 00000000.00000003.899936626.0000000003800000.00000004.00001000.00020000.00000000.sdmp, 2510-hamil siparis formu.exe, 00000000.00000003.900198277.0000000003660000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 2510-hamil siparis formu.exe, 00000000.00000003.899936626.0000000003800000.00000004.00001000.00020000.00000000.sdmp, 2510-hamil siparis formu.exe, 00000000.00000003.900198277.0000000003660000.00000004.00001000.00020000.00000000.sdmp

Source: 2510-hamil siparis formu.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 2510-hamil siparis formu.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 2510-hamil siparis formu.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 2510-hamil siparis formu.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 2510-hamil siparis formu.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F14B37 LoadLibraryA,GetProcAddress,

0_2_00F14B37

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F38945 push ecx; ret	0_2_00F38958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062C9005 push es; ret	1_2_062C904C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_062CF1DC push es; iretd	1_2_062CF22C

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00F148D7
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F95376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00F95376

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F33187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00F33187

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

API/Special instruction interceptor: Address: 1150384

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597525	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596492	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596032	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595091	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594949	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1950			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7882			Jump to behavior

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

API coverage: 4.7 %

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F7445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F7445A
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F7C6D1 FindFirstFileW,FindClose,	0_2_00F7C6D1
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F7C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00F7C75C
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F7EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F7EF95
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F7F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F7F0F2
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F7F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F7F3F3
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F737EF
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F73B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F73B12
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F7BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F7BCBC

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F149A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597525	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596492	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596032	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595091	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594949	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.3353596191.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

API call chain: ExitProcess graph end node

graph_0-104437

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F83F09 BlockInput,

0_2_00F83F09

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F13B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F13B3A

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F45A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00F45A7C

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F14B37 LoadLibraryA,GetProcAddress,

0_2_00F14B37

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_011505F0 mov eax, dword ptr fs:[00000030h]	0_2_011505F0
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_01150650 mov eax, dword ptr fs:[00000030h]	0_2_01150650
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_0114EFD0 mov eax, dword ptr fs:[00000030h]	0_2_0114EFD0

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F680A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00F680A9

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F3A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00F3A155
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F3A124 SetUnhandledExceptionFilter,		0_2_00F3A124

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7CC008

Jump to behavior

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F687B1 LogonUserW,

0_2_00F687B1

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F13B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F13B3A

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00F148D7

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F74C7F mouse_event,

0_2_00F74C7F

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\2510-hamil siparis formu.exe"

Jump to behavior

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F67CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00F67CAF

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F6874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00F6874B

Source: 2510-hamil siparis formu.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 2510-hamil siparis formu.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F3862B cpuid

0_2_00F3862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F44E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00F44E87

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F51E06 GetUserNameW,

0_2_00F51E06

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F43F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00F43F3A

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe

Code function: 0_2_00F149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F149A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.2510-hamil siparis formu.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2510-hamil siparis formu.exe.ee0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3354697892.0000000002A3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3352952277.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.905588694.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3354697892.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2510-hamil siparis formu.exe PID: 7032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7080, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: 2510-hamil siparis formu.exe	Binary or memory string: WIN_81
Source: 2510-hamil siparis formu.exe	Binary or memory string: WIN_XP
Source: 2510-hamil siparis formu.exe	Binary or memory string: WIN_XPe
Source: 2510-hamil siparis formu.exe	Binary or memory string: WIN_VISTA
Source: 2510-hamil siparis formu.exe	Binary or memory string: WIN_7
Source: 2510-hamil siparis formu.exe	Binary or memory string: WIN_8
Source: 2510-hamil siparis formu.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.2510-hamil siparis formu.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2510-hamil siparis formu.exe.ee0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3352952277.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.905588694.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2510-hamil siparis formu.exe PID: 7032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7080, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.2510-hamil siparis formu.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2510-hamil siparis formu.exe.ee0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3354697892.0000000002A3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3352952277.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.905588694.0000000000EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3354697892.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2510-hamil siparis formu.exe PID: 7032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7080, type: MEMORYSTR

Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F86283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00F86283
Source: C:\Users\user\Desktop\2510-hamil siparis formu.exe	Code function: 0_2_00F86747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00F86747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	31 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	131 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Virtualization/Sandbox Evasion	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2510-hamil siparis formu.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
2510-hamil siparis formu.exe