Edit tour

Windows Analysis Report
HALKBANK EKSTRE.exe

Overview

General Information

Sample name:	HALKBANK EKSTRE.exe
Analysis ID:	1580267
MD5:	50424fd9b7befb9448ad8cde1c5522e8
SHA1:	9df450f22397be8631a2b8092843ba0e180ca8b7
SHA256:	038849db19818c7136fe0a551b3f1b9ab11d51390ab2f4197f9f7c5ff16f6a8f
Tags:	exegeoHalkbankTURuser-abuse_ch
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Uncommon Svchost Parent Process

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

HALKBANK EKSTRE.exe (PID: 6256 cmdline: "C:\Users\user\Desktop\HALKBANK EKSTRE.exe" MD5: 50424FD9B7BEFB9448AD8CDE1C5522E8)

powershell.exe (PID: 5248 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HALKBANK EKSTRE.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4024 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gaOQxNyy.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7248 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 5732 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaOQxNyy" /XML "C:\Users\user\AppData\Local\Temp\tmp93F7.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HALKBANK EKSTRE.exe (PID: 4312 cmdline: "C:\Users\user\Desktop\HALKBANK EKSTRE.exe" MD5: 50424FD9B7BEFB9448AD8CDE1C5522E8)

HALKBANK EKSTRE.exe (PID: 5948 cmdline: "C:\Users\user\Desktop\HALKBANK EKSTRE.exe" MD5: 50424FD9B7BEFB9448AD8CDE1C5522E8)

HALKBANK EKSTRE.exe (PID: 320 cmdline: "C:\Users\user\Desktop\HALKBANK EKSTRE.exe" MD5: 50424FD9B7BEFB9448AD8CDE1C5522E8)

svchost.exe (PID: 5732 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

gaOQxNyy.exe (PID: 7180 cmdline: C:\Users\user\AppData\Roaming\gaOQxNyy.exe MD5: 50424FD9B7BEFB9448AD8CDE1C5522E8)

schtasks.exe (PID: 7724 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaOQxNyy" /XML "C:\Users\user\AppData\Local\Temp\tmpA55C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

gaOQxNyy.exe (PID: 7784 cmdline: "C:\Users\user\AppData\Roaming\gaOQxNyy.exe" MD5: 50424FD9B7BEFB9448AD8CDE1C5522E8)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "kingnovasend@zqamcx.com", "Password": "Anambraeast", "Server": "zqamcx.com", "To": "kingnovaresult@zqamcx.com", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1261541050.0000000003F61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1261541050.0000000003F61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1261541050.0000000003F61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1261541050.0000000003F61000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x304af:$a1: get_encryptedPassword 0x307d7:$a2: get_encryptedUsername 0x3024a:$a3: get_timePasswordChanged 0x3036b:$a4: get_passwordField 0x304c5:$a5: set_encryptedPassword 0x31e21:$a7: get_logins 0x31ad2:$a8: GetOutlookPasswords 0x318c4:$a9: StartKeylogger 0x31d71:$a10: KeyLoggerEventArgs 0x31921:$a11: KeyLoggerEventArgsEventHandler
00000016.00000002.2464836827.0000000003363000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000002.2461072276.0000000000410000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000016.00000002.2461072276.0000000000410000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000002.2461072276.0000000000410000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000016.00000002.2461072276.0000000000410000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfa7:$a1: get_encryptedPassword 0x12cf:$a2: get_encryptedUsername 0xd42:$a3: get_timePasswordChanged 0xe63:$a4: get_passwordField 0xfbd:$a5: set_encryptedPassword 0x2919:$a7: get_logins 0x25ca:$a8: GetOutlookPasswords 0x23bc:$a9: StartKeylogger 0x2869:$a10: KeyLoggerEventArgs 0x2419:$a11: KeyLoggerEventArgsEventHandler
0000000B.00000002.2464690903.0000000003413000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1261541050.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1261541050.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1261541050.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1261541050.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x723c7:$a1: get_encryptedPassword 0x88fe7:$a1: get_encryptedPassword 0x726ef:$a2: get_encryptedUsername 0x8930f:$a2: get_encryptedUsername 0x72162:$a3: get_timePasswordChanged 0x88d82:$a3: get_timePasswordChanged 0x72283:$a4: get_passwordField 0x88ea3:$a4: get_passwordField 0x723dd:$a5: set_encryptedPassword 0x88ffd:$a5: set_encryptedPassword 0x73d39:$a7: get_logins 0x8a959:$a7: get_logins 0x739ea:$a8: GetOutlookPasswords 0x8a60a:$a8: GetOutlookPasswords 0x737dc:$a9: StartKeylogger 0x8a3fc:$a9: StartKeylogger 0x73c89:$a10: KeyLoggerEventArgs 0x8a8a9:$a10: KeyLoggerEventArgs 0x73839:$a11: KeyLoggerEventArgsEventHandler 0x8a459:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: HALKBANK EKSTRE.exe PID: 6256	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: HALKBANK EKSTRE.exe PID: 6256	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HALKBANK EKSTRE.exe PID: 6256	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: HALKBANK EKSTRE.exe PID: 6256	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: HALKBANK EKSTRE.exe PID: 6256	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3da3f:$a1: get_encryptedPassword 0x6d403:$a1: get_encryptedPassword 0x3dd58:$a2: get_encryptedUsername 0x6d71c:$a2: get_encryptedUsername 0x3d7ee:$a3: get_timePasswordChanged 0x6d1b2:$a3: get_timePasswordChanged 0x3d90f:$a4: get_passwordField 0x6d2d3:$a4: get_passwordField 0x3da55:$a5: set_encryptedPassword 0x6d419:$a5: set_encryptedPassword 0x3f358:$a7: get_logins 0x6ed1c:$a7: get_logins 0x3f009:$a8: GetOutlookPasswords 0x6e9cd:$a8: GetOutlookPasswords 0x3edfb:$a9: StartKeylogger 0x6e7bf:$a9: StartKeylogger 0x3f2a8:$a10: KeyLoggerEventArgs 0x6ec6c:$a10: KeyLoggerEventArgs 0x3ee58:$a11: KeyLoggerEventArgsEventHandler 0x6e81c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: HALKBANK EKSTRE.exe PID: 320	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: gaOQxNyy.exe PID: 7784	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: gaOQxNyy.exe PID: 7784	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: gaOQxNyy.exe PID: 7784	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: gaOQxNyy.exe PID: 7784	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x49866:$a1: get_encryptedPassword 0x49b7f:$a2: get_encryptedUsername 0x49615:$a3: get_timePasswordChanged 0x49736:$a4: get_passwordField 0x4987c:$a5: set_encryptedPassword 0x4b17f:$a7: get_logins 0x4ae30:$a8: GetOutlookPasswords 0x4ac22:$a9: StartKeylogger 0x4b0cf:$a10: KeyLoggerEventArgs 0x4ac7f:$a11: KeyLoggerEventArgsEventHandler
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.HALKBANK EKSTRE.exe.4005220.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.HALKBANK EKSTRE.exe.4005220.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HALKBANK EKSTRE.exe.4005220.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.HALKBANK EKSTRE.exe.3f82308.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.HALKBANK EKSTRE.exe.3f82308.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HALKBANK EKSTRE.exe.4005220.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.HALKBANK EKSTRE.exe.3f82308.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.HALKBANK EKSTRE.exe.4005220.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1234b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11849:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b57:$a4: \Orbitum\User Data\Default\Login Data 0x1294f:$a5: \Kometa\User Data\Default\Login Data
0.2.HALKBANK EKSTRE.exe.3f82308.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.HALKBANK EKSTRE.exe.3f82308.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.HALKBANK EKSTRE.exe.3f82308.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HALKBANK EKSTRE.exe.3f82308.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.HALKBANK EKSTRE.exe.3f82308.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1234b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11849:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b57:$a4: \Orbitum\User Data\Default\Login Data 0x1294f:$a5: \Kometa\User Data\Default\Login Data
0.2.HALKBANK EKSTRE.exe.3f82308.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
0.2.HALKBANK EKSTRE.exe.3f82308.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1414b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13649:$a3: \Google\Chrome\User Data\Default\Login Data 0x13957:$a4: \Orbitum\User Data\Default\Login Data 0x1474f:$a5: \Kometa\User Data\Default\Login Data
0.2.HALKBANK EKSTRE.exe.4005220.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.HALKBANK EKSTRE.exe.4005220.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HALKBANK EKSTRE.exe.4005220.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.HALKBANK EKSTRE.exe.4005220.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0x25dc7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0x260ef:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0x25b62:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0x25c83:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x25ddd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x27739:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x273ea:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x271dc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x27689:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler 0x27239:$a11: KeyLoggerEventArgsEventHandler
Click to see the 14 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HALKBANK EKSTRE.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HALKBANK EKSTRE.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HALKBANK EKSTRE.exe", ParentImage: C:\Users\user\Desktop\HALKBANK EKSTRE.exe, ParentProcessId: 6256, ParentProcessName: HALKBANK EKSTRE.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HALKBANK EKSTRE.exe", ProcessId: 5248, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaOQxNyy" /XML "C:\Users\user\AppData\Local\Temp\tmpA55C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaOQxNyy" /XML "C:\Users\user\AppData\Local\Temp\tmpA55C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\gaOQxNyy.exe, ParentImage: C:\Users\user\AppData\Roaming\gaOQxNyy.exe, ParentProcessId: 7180, ParentProcessName: gaOQxNyy.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaOQxNyy" /XML "C:\Users\user\AppData\Local\Temp\tmpA55C.tmp", ProcessId: 7724, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaOQxNyy" /XML "C:\Users\user\AppData\Local\Temp\tmp93F7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaOQxNyy" /XML "C:\Users\user\AppData\Local\Temp\tmp93F7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\HALKBANK EKSTRE.exe", ParentImage: C:\Users\user\Desktop\HALKBANK EKSTRE.exe, ParentProcessId: 6256, ParentProcessName: HALKBANK EKSTRE.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaOQxNyy" /XML "C:\Users\user\AppData\Local\Temp\tmp93F7.tmp", ProcessId: 5732, ProcessName: schtasks.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\HALKBANK EKSTRE.exe", ParentImage: C:\Users\user\Desktop\HALKBANK EKSTRE.exe, ParentProcessId: 6256, ParentProcessName: HALKBANK EKSTRE.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 5732, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HALKBANK EKSTRE.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HALKBANK EKSTRE.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HALKBANK EKSTRE.exe", ParentImage: C:\Users\user\Desktop\HALKBANK EKSTRE.exe, ParentProcessId: 6256, ParentProcessName: HALKBANK EKSTRE.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HALKBANK EKSTRE.exe", ProcessId: 5248, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\HALKBANK EKSTRE.exe", ParentImage: C:\Users\user\Desktop\HALKBANK EKSTRE.exe, ParentProcessId: 6256, ParentProcessName: HALKBANK EKSTRE.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 5732, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaOQxNyy" /XML "C:\Users\user\AppData\Local\Temp\tmp93F7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaOQxNyy" /XML "C:\Users\user\AppData\Local\Temp\tmp93F7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\HALKBANK EKSTRE.exe", ParentImage: C:\Users\user\Desktop\HALKBANK EKSTRE.exe, ParentProcessId: 6256, ParentProcessName: HALKBANK EKSTRE.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaOQxNyy" /XML "C:\Users\user\AppData\Local\Temp\tmp93F7.tmp", ProcessId: 5732, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T08:24:05.945728+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49706	193.122.6.168	80	TCP
2024-12-24T08:24:10.414412+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49710	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.HALKBANK EKSTRE.exe.4005220.4.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "kingnovasend@zqamcx.com", "Password": "Anambraeast", "Server": "zqamcx.com", "To": "kingnovaresult@zqamcx.com", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Virustotal: Detection: 34%			Perma Link

Multi AV Scanner detection for submitted file

Source: HALKBANK EKSTRE.exe	Virustotal: Detection: 34%			Perma Link
Source: HALKBANK EKSTRE.exe	ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: HALKBANK EKSTRE.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: HALKBANK EKSTRE.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.7:49708 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.7:49711 version: TLS 1.0

Source: HALKBANK EKSTRE.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mNUg.pdb source: HALKBANK EKSTRE.exe, gaOQxNyy.exe.0.dr
Source:	Binary string: mNUg.pdbSHA256.O source: HALKBANK EKSTRE.exe, gaOQxNyy.exe.0.dr

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 4x nop then jmp 01729731h	11_2_01729480
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 4x nop then jmp 01729E5Ah	11_2_01729A40
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 4x nop then jmp 01729E5Ah	11_2_01729A30
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 4x nop then jmp 01729E5Ah	11_2_01729D87
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 4x nop then jmp 058F5E15h	11_2_058F5AD8
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 4x nop then jmp 058F8830h	11_2_058F8588
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 4x nop then jmp 058F47C9h	11_2_058F4520
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 4x nop then jmp 058F76D0h	11_2_058F7428
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 4x nop then jmp 058FF700h	11_2_058FF458
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 4x nop then jmp 058FE9F8h	11_2_058FE750
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 4x nop then jmp 058F5929h	11_2_058F5680
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 4x nop then jmp 058F83D8h	11_2_058F8130
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 4x nop then jmp 058FF2A8h	11_2_058FF000
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 4x nop then jmp 058FE5A0h	11_2_058FE2F8
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 4x nop then jmp 058F54D1h	11_2_058F5228
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 4x nop then jmp 058F5079h	11_2_058F4DD0
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 4x nop then jmp 058F7F80h	11_2_058F7CD8
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 4x nop then jmp 058F7278h	11_2_058F6FD0
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 4x nop then jmp 058F4C21h	11_2_058F4978
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 4x nop then jmp 058F7B28h	11_2_058F7880
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 4x nop then jmp 058FFB58h	11_2_058FF8B0
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 4x nop then jmp 058FEE50h	11_2_058FEBA8
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 4x nop then jmp 015C9731h	22_2_015C9480
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 4x nop then jmp 015C9E5Ah	22_2_015C9A40
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 4x nop then jmp 015C9E5Ah	22_2_015C9A30
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 4x nop then jmp 015C9E5Ah	22_2_015C9D87

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49706 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49710 -> 193.122.6.168:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.7:49708 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.7:49711 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.000000000336E000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.00000000032BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.000000000336E000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.00000000032BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.0000000003359000.00000004.00000800.00020000.00000000.sdmp, HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.000000000336E000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.00000000032BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.0000000003241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.000000000336E000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.00000000032BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: HALKBANK EKSTRE.exe, 00000000.00000002.1261541050.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp, HALKBANK EKSTRE.exe, 00000000.00000002.1261541050.0000000003F61000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2461072276.0000000000410000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.000000000336E000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.00000000032BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: HALKBANK EKSTRE.exe, gaOQxNyy.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: HALKBANK EKSTRE.exe, gaOQxNyy.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: HALKBANK EKSTRE.exe, gaOQxNyy.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.000000000338B000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.00000000032DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.000000000338B000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.00000000032DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: HALKBANK EKSTRE.exe, 00000000.00000002.1258234231.000000000301E000.00000004.00000800.00020000.00000000.sdmp, HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 0000000D.00000002.1307259393.000000000323E000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.0000000003241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: svchost.exe, 0000000C.00000002.1375611284.000001E558013000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: HALKBANK EKSTRE.exe, 00000000.00000002.1261541050.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp, HALKBANK EKSTRE.exe, 00000000.00000002.1261541050.0000000003F61000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2461072276.0000000000410000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: svchost.exe, 0000000C.00000002.1375711200.000001E558058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000C.00000002.1375711200.000001E558058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 0000000C.00000002.1375672564.000001E558042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1374761841.000001E55806E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1374889298.000001E558062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375060736.000001E55805A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375791611.000001E558070000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375174055.000001E558041000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375751810.000001E558063000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.1374761841.000001E55806E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375791611.000001E558070000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000002.1375711200.000001E558058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.1375774726.000001E558068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1374842721.000001E558067000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.1374761841.000001E55806E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375791611.000001E558070000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000C.00000002.1375711200.000001E558058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000003.1374889298.000001E558062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375060736.000001E55805A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375634616.000001E55802B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375751810.000001E558063000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000002.1375711200.000001E558058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.1375774726.000001E558068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375634616.000001E55802B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1374842721.000001E558067000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000002.1375711200.000001E558058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000C.00000002.1375711200.000001E558058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000C.00000002.1375711200.000001E558058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000C.00000003.1374889298.000001E558062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375634616.000001E55802B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375751810.000001E558063000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000002.1375672564.000001E558042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375174055.000001E558041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000C.00000002.1375711200.000001E558058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000003.1374889298.000001E558062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375751810.000001E558063000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000C.00000003.1375205295.000001E558031000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1374889298.000001E558062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375751810.000001E558063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375694330.000001E558055000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1374703617.000001E558053000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.1375174055.000001E558041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.1374889298.000001E558062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375751810.000001E558063000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000002.1375672564.000001E558042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1374963255.000001E55805E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375174055.000001E558041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000C.00000002.1375791611.000001E558070000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375174055.000001E558041000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375751810.000001E558063000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000C.00000002.1375711200.000001E558058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.1375774726.000001E558068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375634616.000001E55802B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1374842721.000001E558067000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.000000000336E000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.00000000032BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: HALKBANK EKSTRE.exe, 00000000.00000002.1261541050.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp, HALKBANK EKSTRE.exe, 00000000.00000002.1261541050.0000000003F61000.00000004.00000800.00020000.00000000.sdmp, HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.000000000336E000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2461072276.0000000000410000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.000000000336E000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.00000000032BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.000000000336E000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.00000000032BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: svchost.exe, 0000000C.00000003.1375174055.000001E558041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000C.00000003.1375154641.000001E558047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375174055.000001E558041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.1375154641.000001E558047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375174055.000001E558041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000002.1375634616.000001E55802B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000C.00000002.1375711200.000001E558058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000C.00000002.1375711200.000001E558058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: HALKBANK EKSTRE.exe, gaOQxNyy.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.HALKBANK EKSTRE.exe.4005220.4.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 0.2.HALKBANK EKSTRE.exe.3f82308.2.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.HALKBANK EKSTRE.exe.4005220.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.HALKBANK EKSTRE.exe.4005220.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.HALKBANK EKSTRE.exe.3f82308.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.HALKBANK EKSTRE.exe.3f82308.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.HALKBANK EKSTRE.exe.3f82308.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.HALKBANK EKSTRE.exe.3f82308.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.HALKBANK EKSTRE.exe.4005220.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1261541050.0000000003F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000016.00000002.2461072276.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1261541050.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: HALKBANK EKSTRE.exe PID: 6256, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: gaOQxNyy.exe PID: 7784, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_01583E28	0_2_01583E28
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_0158E22C	0_2_0158E22C
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_01587019	0_2_01587019
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_071CDF29	0_2_071CDF29
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_071C6B60	0_2_071C6B60
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_071E4690	0_2_071E4690
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_071E2948	0_2_071E2948
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_071E5058	0_2_071E5058
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_071E8C78	0_2_071E8C78
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_071E58C0	0_2_071E58C0
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_071E1578	0_2_071E1578
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_075D0710	0_2_075D0710
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_075D0E78	0_2_075D0E78
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_075D5E48	0_2_075D5E48
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_0767A4A1	0_2_0767A4A1
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_0767A072	0_2_0767A072
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_0767C0E8	0_2_0767C0E8
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_0767BCB0	0_2_0767BCB0
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_0767CA98	0_2_0767CA98
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_0172C530	11_2_0172C530
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_01722DD1	11_2_01722DD1
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_01729480	11_2_01729480
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_0172C521	11_2_0172C521
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_0172946F	11_2_0172946F
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F6138	11_2_058F6138
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F13A8	11_2_058F13A8
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058FBC50	11_2_058FBC50
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058FAE78	11_2_058FAE78
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F89E0	11_2_058F89E0
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F0AB8	11_2_058F0AB8
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F5AD8	11_2_058F5AD8
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F8588	11_2_058F8588
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F450F	11_2_058F450F
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F4520	11_2_058F4520
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F8579	11_2_058F8579
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F7418	11_2_058F7418
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F7428	11_2_058F7428
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058FF458	11_2_058FF458
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058FF455	11_2_058FF455
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058FE740	11_2_058FE740
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058FE750	11_2_058FE750
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F5680	11_2_058F5680
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F566F	11_2_058F566F
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F612B	11_2_058F612B
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F8120	11_2_058F8120
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F8130	11_2_058F8130
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058FF000	11_2_058FF000
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F0320	11_2_058F0320
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F0330	11_2_058F0330
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058FE2F8	11_2_058FE2F8
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058FE2F5	11_2_058FE2F5
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F521B	11_2_058F521B
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F5228	11_2_058F5228
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F4DC0	11_2_058F4DC0
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F4DD0	11_2_058F4DD0
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F7CC8	11_2_058F7CC8
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F0CD8	11_2_058F0CD8
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F7CD8	11_2_058F7CD8
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F6FC3	11_2_058F6FC3
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F6FD0	11_2_058F6FD0
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058FEFFD	11_2_058FEFFD
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F4969	11_2_058F4969
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F4978	11_2_058F4978
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F7880	11_2_058F7880
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058FF8A0	11_2_058FF8A0
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058FF8B0	11_2_058FF8B0
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F7871	11_2_058F7871
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058FEB98	11_2_058FEB98
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058FEBA8	11_2_058FEBA8
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 11_2_058F5ACB	11_2_058F5ACB
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_03153E28	13_2_03153E28
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_0315E22C	13_2_0315E22C
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_03157019	13_2_03157019
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_07585FD8	13_2_07585FD8
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_0758F698	13_2_0758F698
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_07588850	13_2_07588850
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_07589078	13_2_07589078
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_07589069	13_2_07589069
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_075EDF29	13_2_075EDF29
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_075E6B60	13_2_075E6B60
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_07604690	13_2_07604690
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_07602948	13_2_07602948
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_07608C78	13_2_07608C78
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_07605058	13_2_07605058
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_076058C0	13_2_076058C0
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_07601578	13_2_07601578
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_078F0710	13_2_078F0710
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_078F0E78	13_2_078F0E78
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_078F8410	13_2_078F8410
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_078F5E48	13_2_078F5E48
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_08C8CA98	13_2_08C8CA98
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_08C8BCB0	13_2_08C8BCB0
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_08C8C0E8	13_2_08C8C0E8
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_08C8A073	13_2_08C8A073
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_08C8A4A1	13_2_08C8A4A1
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_08CB0040	13_2_08CB0040
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_08CB17B8	13_2_08CB17B8
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_08CB001C	13_2_08CB001C
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 22_2_015CC530	22_2_015CC530
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 22_2_015C2DD1	22_2_015C2DD1
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 22_2_015C9480	22_2_015C9480
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 22_2_015CC521	22_2_015CC521
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 22_2_015C946F	22_2_015C946F

Source: HALKBANK EKSTRE.exe

Static PE information: invalid certificate

Source: HALKBANK EKSTRE.exe, 00000000.00000002.1256798850.00000000012CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs HALKBANK EKSTRE.exe
Source: HALKBANK EKSTRE.exe, 00000000.00000002.1272627579.0000000008D20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs HALKBANK EKSTRE.exe
Source: HALKBANK EKSTRE.exe, 00000000.00000002.1261541050.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs HALKBANK EKSTRE.exe
Source: HALKBANK EKSTRE.exe, 00000000.00000002.1261541050.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs HALKBANK EKSTRE.exe
Source: HALKBANK EKSTRE.exe, 00000000.00000002.1261541050.0000000003F61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs HALKBANK EKSTRE.exe
Source: HALKBANK EKSTRE.exe, 00000000.00000002.1271133058.0000000007630000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs HALKBANK EKSTRE.exe
Source: HALKBANK EKSTRE.exe, 00000000.00000002.1258234231.000000000301E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs HALKBANK EKSTRE.exe
Source: HALKBANK EKSTRE.exe, 00000000.00000002.1258234231.000000000301E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs HALKBANK EKSTRE.exe
Source: HALKBANK EKSTRE.exe, 00000000.00000000.1220910895.0000000000BA9000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemNUg.exeZ vs HALKBANK EKSTRE.exe
Source: HALKBANK EKSTRE.exe, 0000000B.00000002.2463063386.0000000001598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs HALKBANK EKSTRE.exe
Source: HALKBANK EKSTRE.exe, 0000000B.00000002.2461513836.00000000012F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs HALKBANK EKSTRE.exe
Source: HALKBANK EKSTRE.exe	Binary or memory string: OriginalFilenamemNUg.exeZ vs HALKBANK EKSTRE.exe

Source: HALKBANK EKSTRE.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.HALKBANK EKSTRE.exe.4005220.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.HALKBANK EKSTRE.exe.4005220.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.HALKBANK EKSTRE.exe.3f82308.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.HALKBANK EKSTRE.exe.3f82308.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.HALKBANK EKSTRE.exe.3f82308.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.HALKBANK EKSTRE.exe.3f82308.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.HALKBANK EKSTRE.exe.4005220.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1261541050.0000000003F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000016.00000002.2461072276.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1261541050.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: HALKBANK EKSTRE.exe PID: 6256, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: gaOQxNyy.exe PID: 7784, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: HALKBANK EKSTRE.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: gaOQxNyy.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.HALKBANK EKSTRE.exe.4005220.4.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HALKBANK EKSTRE.exe.4005220.4.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HALKBANK EKSTRE.exe.3f82308.2.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HALKBANK EKSTRE.exe.3f82308.2.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, JdmZeVp5o8aArYTNg1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, JdmZeVp5o8aArYTNg1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, AFYUlqhR5MpTr4LumJ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, AFYUlqhR5MpTr4LumJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, AFYUlqhR5MpTr4LumJ.cs	Security API names: _0020.AddAccessRule
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, AFYUlqhR5MpTr4LumJ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, AFYUlqhR5MpTr4LumJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, AFYUlqhR5MpTr4LumJ.cs	Security API names: _0020.AddAccessRule
Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, AFYUlqhR5MpTr4LumJ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, AFYUlqhR5MpTr4LumJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, AFYUlqhR5MpTr4LumJ.cs	Security API names: _0020.AddAccessRule
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, JdmZeVp5o8aArYTNg1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@24/15@2/2

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe

File created: C:\Users\user\AppData\Roaming\gaOQxNyy.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7736:120:WilError_03

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe

File created: C:\Users\user\AppData\Local\Temp\tmp93F7.tmp

Jump to behavior

Source: HALKBANK EKSTRE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: HALKBANK EKSTRE.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.000000000340D000.00000004.00000800.00020000.00000000.sdmp, HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.00000000033EC000.00000004.00000800.00020000.00000000.sdmp, HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.00000000033CE000.00000004.00000800.00020000.00000000.sdmp, HALKBANK EKSTRE.exe, 0000000B.00000002.2466771910.000000000431D000.00000004.00000800.00020000.00000000.sdmp, HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.0000000003400000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.000000000335D000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.000000000333C000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.000000000332E000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.0000000003350000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: HALKBANK EKSTRE.exe	Virustotal: Detection: 34%
Source: HALKBANK EKSTRE.exe	ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe

File read: C:\Users\user\Desktop\HALKBANK EKSTRE.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HALKBANK EKSTRE.exe "C:\Users\user\Desktop\HALKBANK EKSTRE.exe"
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HALKBANK EKSTRE.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gaOQxNyy.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaOQxNyy" /XML "C:\Users\user\AppData\Local\Temp\tmp93F7.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process created: C:\Users\user\Desktop\HALKBANK EKSTRE.exe "C:\Users\user\Desktop\HALKBANK EKSTRE.exe"
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process created: C:\Users\user\Desktop\HALKBANK EKSTRE.exe "C:\Users\user\Desktop\HALKBANK EKSTRE.exe"
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process created: C:\Users\user\Desktop\HALKBANK EKSTRE.exe "C:\Users\user\Desktop\HALKBANK EKSTRE.exe"
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Users\user\AppData\Roaming\gaOQxNyy.exe C:\Users\user\AppData\Roaming\gaOQxNyy.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaOQxNyy" /XML "C:\Users\user\AppData\Local\Temp\tmpA55C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process created: C:\Users\user\AppData\Roaming\gaOQxNyy.exe "C:\Users\user\AppData\Roaming\gaOQxNyy.exe"
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HALKBANK EKSTRE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gaOQxNyy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaOQxNyy" /XML "C:\Users\user\AppData\Local\Temp\tmp93F7.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process created: C:\Users\user\Desktop\HALKBANK EKSTRE.exe "C:\Users\user\Desktop\HALKBANK EKSTRE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process created: C:\Users\user\Desktop\HALKBANK EKSTRE.exe "C:\Users\user\Desktop\HALKBANK EKSTRE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process created: C:\Users\user\Desktop\HALKBANK EKSTRE.exe "C:\Users\user\Desktop\HALKBANK EKSTRE.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaOQxNyy" /XML "C:\Users\user\AppData\Local\Temp\tmpA55C.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process created: C:\Users\user\AppData\Roaming\gaOQxNyy.exe "C:\Users\user\AppData\Roaming\gaOQxNyy.exe"	Jump to behavior

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: HALKBANK EKSTRE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: HALKBANK EKSTRE.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: HALKBANK EKSTRE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mNUg.pdb source: HALKBANK EKSTRE.exe, gaOQxNyy.exe.0.dr
Source:	Binary string: mNUg.pdbSHA256.O source: HALKBANK EKSTRE.exe, gaOQxNyy.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: HALKBANK EKSTRE.exe, Form6.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: gaOQxNyy.exe.0.dr, Form6.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, AFYUlqhR5MpTr4LumJ.cs	.Net Code: NW8g6wOy1G System.Reflection.Assembly.Load(byte[])
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, AFYUlqhR5MpTr4LumJ.cs	.Net Code: NW8g6wOy1G System.Reflection.Assembly.Load(byte[])
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, AFYUlqhR5MpTr4LumJ.cs	.Net Code: NW8g6wOy1G System.Reflection.Assembly.Load(byte[])

Source: HALKBANK EKSTRE.exe

Static PE information: 0xB0B48F79 [Tue Dec 11 18:27:05 2063 UTC]

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_054766AD push esp; iretd	0_2_054766AE
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_071C72A5 push esp; iretd	0_2_071C72B9
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_075D3698 push eax; ret	0_2_075D3A31
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_075D4960 push eax; iretd	0_2_075D4961
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_076775ED pushfd ; ret	0_2_076775EE
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_076704A0 pushfd ; ret	0_2_076704A1
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_07677D9E pushfd ; ret	0_2_07677D9F
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Code function: 0_2_07670CE6 pushfd ; ret	0_2_07670CE7
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_0758A1E0 pushfd ; retn 0757h	13_2_0758A5D1
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_075E72A5 push esp; iretd	13_2_075E72B9
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_078F3698 push eax; ret	13_2_078F3A31
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_078F8DF9 push eax; mov dword ptr [esp], edx	13_2_078F8E0C
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_078F4960 push eax; iretd	13_2_078F4961
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_08C80CE6 pushfd ; ret	13_2_08C80CE7
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_08C87D9E pushfd ; ret	13_2_08C87D9F
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_08C804A0 pushfd ; ret	13_2_08C804A1
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 13_2_08C875ED pushfd ; ret	13_2_08C875EE
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Code function: 22_2_015CB3A8 push eax; iretd	22_2_015CB445

Source: HALKBANK EKSTRE.exe	Static PE information: section name: .text entropy: 7.58895397277786
Source: gaOQxNyy.exe.0.dr	Static PE information: section name: .text entropy: 7.58895397277786

Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, ppVx4qSB7CH0KRB072.cs	High entropy of concatenated method names: 'Dispose', 'mfYXqXw5xa', 'VnuDLXIkp4', 'kFkPnurCxI', 'qaoXmn5H5L', 'y5kXz1YHWX', 'ProcessDialogKey', 'TyFDPL22Rl', 'GCrDXIpjTc', 'IcFDDmVob9'
Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, JL22RlqLCrIpjTcacF.cs	High entropy of concatenated method names: 'MTZ1Gr2LsG', 'tXY1Lj5Yvj', 'vJJ1a8cPPf', 'nMv1F6sdLi', 'LPG18UG5lV', 'lY11whg0TT', 'xcd1vXiiQH', 'NtQ1CMkyZs', 'K2m1JgloUc', 'AWg1HjpWSN'
Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, KnnRsdUBARhCMDLsqO.cs	High entropy of concatenated method names: 'wilVpgYH6F', 'HKLVQLNTCs', 'wVYVGa6sZI', 'CO1VLceYPm', 'CbTVFig089', 'Oa4V8Jrwxb', 'NEtVvW2ZjA', 'Ho7VCWIhaX', 'qvxVHpufGg', 'MY6VERU9tv'
Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, ANC2e1XXW0xGxfYg33d.cs	High entropy of concatenated method names: 'BPtWmrBUPs', 'WoTWz3a9eJ', 'dWVsPFc4xe', 'Y2usXgKttJ', 'SZVsDu5Qj3', 'hr2s7WkoJD', 'lqesgrdvcR', 'LIrst2wMgd', 'nbfsIn965h', 'y08sSXZsDS'
Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, YVob99mAduO1iiahqT.cs	High entropy of concatenated method names: 'vfSW0GfdsC', 'Cn0WKn4Bnq', 'NkdWMfjdok', 'uQBWjcQZc7', 'RhJW1ebAV3', 'nAlWhtFY5m', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, SJb6SKQBfnO226RxPN.cs	High entropy of concatenated method names: 'Rfl04WWS2V', 'ous09kmmhl', 'xOA0pnfQcU', 'jGK0QAWPKn', 'eF20BE1BYh', 'Jyn0rJNuTv', 'nF50olq4TY', 'Get0ibQiad', 'KsI01INQZN', 'mt90W4OKCZ'
Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, MWBnt9zNCCyZm4FG9Y.cs	High entropy of concatenated method names: 'YCkW9BKR7T', 'DRPWpmXlga', 'eAvWQ1QvoZ', 'iEXWG3m33u', 'C7QWLs0n5V', 'xN2WF7U3LX', 'PNoW8ENATq', 'ipXWdMFBqv', 'KMFWYnQkdH', 'YUOWZ0S7tQ'
Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, YElVNf5bENfYXw5xao.cs	High entropy of concatenated method names: 'Hdq1Blpcmc', 'cpj1okDUVH', 'a1I11Tw1YP', 'uZM1sWuy4t', 'rbT1fDNeor', 'rKC1dvqLy4', 'Dispose', 'YdriImcuaa', 'hlAiSp6EqB', 'tKji0WsiUX'
Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, Dhv7DNDVdtyC8d3wLt.cs	High entropy of concatenated method names: 'Q0D6j9CFF', 'esl4CuCEG', 'KnE9AeG0Z', 'H8KT4EsR4', 'DkEQpsaYP', 'OpxyqgfQy', 'gSi0jXdlGLcMXSmC5U', 'EkKa5OUPra5wRTJRWZ', 'tZwiR4is7', 'iUaWIYyNT'
Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, W6LqIxuVIgSJ2xH84S.cs	High entropy of concatenated method names: 'rn0olvQiee', 'EcYomdpoPF', 'e8IiPoF0gg', 'ETpiXN7Vvx', 'AwMoEKEQtg', 'LfDonu2TCB', 'Du6oUP7U4Q', 'c8LoRGn5Xw', 'gJnoAo6orx', 'D9EocShy8B'
Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, J0A2dtg0YnF2HtALOk.cs	High entropy of concatenated method names: 'ajwXjdmZeV', 'Wo8XhaArYT', 'iBfXNnO226', 'RxPXeN30gk', 'NaYXBc1tIe', 'YOCXrB4AaP', 'EfH2iMwnUNDWewAF5h', 'EQm5a4Rj8w0le69pi9', 'uDJXX5xCNL', 'xHfX71INAc'
Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, Lsq3vZJAsV2P2hDQ0U.cs	High entropy of concatenated method names: 'HQcjYT69ZQ', 's0pjZnL1A7', 'NJKj6nkRAA', 'aTyj48jMjb', 'k8cj3pmk2M', 'X5Cj9N8CNN', 'aHWjTnDHVs', 'J2OjpwMXfZ', 'WVKjQC8AWG', 'RcIjy6TVGT'
Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, EQcvvkvHPy062ds45n.cs	High entropy of concatenated method names: 'LWDjIPdiCr', 'B7ej09u5xY', 'xLwjMMAHLT', 'pRLMmlRc26', 'qJmMzOknAV', 'pSxjP8NkXK', 'G55jXHly8q', 'WdOjD7GI02', 'Drxj75t6XD', 'xfVjg8KnsI'
Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, y5JRJd0Cy1lO415glq.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'vpyDqxlCMI', 'nHsDmV63L6', 'PoFDzaZwa3', 'OQ97PplTq3', 'y4i7X82atI', 'lVq7D5mKxF', 'sqn77mGWZx', 'Ec4xmc6ZFb8pUcW2Vd5'
Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, CITRObcfv2km8aOFBC.cs	High entropy of concatenated method names: 'ToString', 'kL4rEdj9KU', 'LbjrLG6ulI', 'Lvnra8WceD', 'ns5rFlSeLc', 'GIxr8q94it', 'XMnrw6KyeF', 'fOkrv1oBTg', 'RV4rCGg9vq', 'xhArJoj72O'
Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, A0gkGkyP3SqLBHaYc1.cs	High entropy of concatenated method names: 'VtxK34eHdV', 'NJmKTDOEAL', 'GYA0aDMmo4', 'K8w0Figvbc', 'XXm08Falr2', 'yq50wZrQX8', 'Axa0vPjG03', 'TZi0CBge1R', 'PPV0JHrgW9', 'ICy0HL9hu7'
Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, eIemOCGB4AaP9VwbVS.cs	High entropy of concatenated method names: 'xrMMtgmWjF', 'p6JMSuu21T', 'OysMK8XxKW', 'c8CMjsJOYs', 'HbHMhc4uxp', 'CjgKxfpj74', 'Q4DKuBJB9c', 'Sr0K5ZfLUc', 'ib5KlOjvPp', 'PofKqJ70Bb'
Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, JdmZeVp5o8aArYTNg1.cs	High entropy of concatenated method names: 'LSVSRB09pY', 'KhdSAdgTe8', 'TBuSckv4L3', 'HfOSkdgDTd', 'oaqSxrKYUr', 'sU5Su9pp9K', 'tbmS5IrZ7A', 'dxUSlLgbaL', 'HwuSqDG2Q2', 'sqDSmpiQE5'
Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, CQf7xOXg9kpdR0maPtv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'h2M21ZB8DU', 'Exj2WglHdq', 'TRT2s8Ghxa', 'uiL22LU9Ia', 'I0a2fBUHU8', 'KOW2Oobvcg', 'WRQ2dTSB7H'
Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, JnavLPXPRhrPGpmGZQZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VBIWE5jgNI', 'unhWnoHbdC', 'HpnWUxs8d3', 'DBcWR0WBbF', 'TM4WAjrDCI', 'O6wWcGXspW', 'h0CWkQFFMy'
Source: 0.2.HALKBANK EKSTRE.exe.4179888.1.raw.unpack, AFYUlqhR5MpTr4LumJ.cs	High entropy of concatenated method names: 'Pvj7t9tcrL', 'Wx97IFalDe', 'Wdb7ShEGmo', 'pYS70cyD6S', 'EX87K8FvuH', 'cMe7M5sZ8W', 'vNt7j4Xh8s', 'Bql7h5QkO5', 'tY57bOHuow', 'Beh7NuNR7A'
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, ppVx4qSB7CH0KRB072.cs	High entropy of concatenated method names: 'Dispose', 'mfYXqXw5xa', 'VnuDLXIkp4', 'kFkPnurCxI', 'qaoXmn5H5L', 'y5kXz1YHWX', 'ProcessDialogKey', 'TyFDPL22Rl', 'GCrDXIpjTc', 'IcFDDmVob9'
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, JL22RlqLCrIpjTcacF.cs	High entropy of concatenated method names: 'MTZ1Gr2LsG', 'tXY1Lj5Yvj', 'vJJ1a8cPPf', 'nMv1F6sdLi', 'LPG18UG5lV', 'lY11whg0TT', 'xcd1vXiiQH', 'NtQ1CMkyZs', 'K2m1JgloUc', 'AWg1HjpWSN'
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, KnnRsdUBARhCMDLsqO.cs	High entropy of concatenated method names: 'wilVpgYH6F', 'HKLVQLNTCs', 'wVYVGa6sZI', 'CO1VLceYPm', 'CbTVFig089', 'Oa4V8Jrwxb', 'NEtVvW2ZjA', 'Ho7VCWIhaX', 'qvxVHpufGg', 'MY6VERU9tv'
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, ANC2e1XXW0xGxfYg33d.cs	High entropy of concatenated method names: 'BPtWmrBUPs', 'WoTWz3a9eJ', 'dWVsPFc4xe', 'Y2usXgKttJ', 'SZVsDu5Qj3', 'hr2s7WkoJD', 'lqesgrdvcR', 'LIrst2wMgd', 'nbfsIn965h', 'y08sSXZsDS'
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, YVob99mAduO1iiahqT.cs	High entropy of concatenated method names: 'vfSW0GfdsC', 'Cn0WKn4Bnq', 'NkdWMfjdok', 'uQBWjcQZc7', 'RhJW1ebAV3', 'nAlWhtFY5m', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, SJb6SKQBfnO226RxPN.cs	High entropy of concatenated method names: 'Rfl04WWS2V', 'ous09kmmhl', 'xOA0pnfQcU', 'jGK0QAWPKn', 'eF20BE1BYh', 'Jyn0rJNuTv', 'nF50olq4TY', 'Get0ibQiad', 'KsI01INQZN', 'mt90W4OKCZ'
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, MWBnt9zNCCyZm4FG9Y.cs	High entropy of concatenated method names: 'YCkW9BKR7T', 'DRPWpmXlga', 'eAvWQ1QvoZ', 'iEXWG3m33u', 'C7QWLs0n5V', 'xN2WF7U3LX', 'PNoW8ENATq', 'ipXWdMFBqv', 'KMFWYnQkdH', 'YUOWZ0S7tQ'
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, YElVNf5bENfYXw5xao.cs	High entropy of concatenated method names: 'Hdq1Blpcmc', 'cpj1okDUVH', 'a1I11Tw1YP', 'uZM1sWuy4t', 'rbT1fDNeor', 'rKC1dvqLy4', 'Dispose', 'YdriImcuaa', 'hlAiSp6EqB', 'tKji0WsiUX'
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, Dhv7DNDVdtyC8d3wLt.cs	High entropy of concatenated method names: 'Q0D6j9CFF', 'esl4CuCEG', 'KnE9AeG0Z', 'H8KT4EsR4', 'DkEQpsaYP', 'OpxyqgfQy', 'gSi0jXdlGLcMXSmC5U', 'EkKa5OUPra5wRTJRWZ', 'tZwiR4is7', 'iUaWIYyNT'
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, W6LqIxuVIgSJ2xH84S.cs	High entropy of concatenated method names: 'rn0olvQiee', 'EcYomdpoPF', 'e8IiPoF0gg', 'ETpiXN7Vvx', 'AwMoEKEQtg', 'LfDonu2TCB', 'Du6oUP7U4Q', 'c8LoRGn5Xw', 'gJnoAo6orx', 'D9EocShy8B'
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, J0A2dtg0YnF2HtALOk.cs	High entropy of concatenated method names: 'ajwXjdmZeV', 'Wo8XhaArYT', 'iBfXNnO226', 'RxPXeN30gk', 'NaYXBc1tIe', 'YOCXrB4AaP', 'EfH2iMwnUNDWewAF5h', 'EQm5a4Rj8w0le69pi9', 'uDJXX5xCNL', 'xHfX71INAc'
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, Lsq3vZJAsV2P2hDQ0U.cs	High entropy of concatenated method names: 'HQcjYT69ZQ', 's0pjZnL1A7', 'NJKj6nkRAA', 'aTyj48jMjb', 'k8cj3pmk2M', 'X5Cj9N8CNN', 'aHWjTnDHVs', 'J2OjpwMXfZ', 'WVKjQC8AWG', 'RcIjy6TVGT'
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, EQcvvkvHPy062ds45n.cs	High entropy of concatenated method names: 'LWDjIPdiCr', 'B7ej09u5xY', 'xLwjMMAHLT', 'pRLMmlRc26', 'qJmMzOknAV', 'pSxjP8NkXK', 'G55jXHly8q', 'WdOjD7GI02', 'Drxj75t6XD', 'xfVjg8KnsI'
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, y5JRJd0Cy1lO415glq.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'vpyDqxlCMI', 'nHsDmV63L6', 'PoFDzaZwa3', 'OQ97PplTq3', 'y4i7X82atI', 'lVq7D5mKxF', 'sqn77mGWZx', 'Ec4xmc6ZFb8pUcW2Vd5'
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, CITRObcfv2km8aOFBC.cs	High entropy of concatenated method names: 'ToString', 'kL4rEdj9KU', 'LbjrLG6ulI', 'Lvnra8WceD', 'ns5rFlSeLc', 'GIxr8q94it', 'XMnrw6KyeF', 'fOkrv1oBTg', 'RV4rCGg9vq', 'xhArJoj72O'
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, A0gkGkyP3SqLBHaYc1.cs	High entropy of concatenated method names: 'VtxK34eHdV', 'NJmKTDOEAL', 'GYA0aDMmo4', 'K8w0Figvbc', 'XXm08Falr2', 'yq50wZrQX8', 'Axa0vPjG03', 'TZi0CBge1R', 'PPV0JHrgW9', 'ICy0HL9hu7'
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, eIemOCGB4AaP9VwbVS.cs	High entropy of concatenated method names: 'xrMMtgmWjF', 'p6JMSuu21T', 'OysMK8XxKW', 'c8CMjsJOYs', 'HbHMhc4uxp', 'CjgKxfpj74', 'Q4DKuBJB9c', 'Sr0K5ZfLUc', 'ib5KlOjvPp', 'PofKqJ70Bb'
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, JdmZeVp5o8aArYTNg1.cs	High entropy of concatenated method names: 'LSVSRB09pY', 'KhdSAdgTe8', 'TBuSckv4L3', 'HfOSkdgDTd', 'oaqSxrKYUr', 'sU5Su9pp9K', 'tbmS5IrZ7A', 'dxUSlLgbaL', 'HwuSqDG2Q2', 'sqDSmpiQE5'
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, CQf7xOXg9kpdR0maPtv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'h2M21ZB8DU', 'Exj2WglHdq', 'TRT2s8Ghxa', 'uiL22LU9Ia', 'I0a2fBUHU8', 'KOW2Oobvcg', 'WRQ2dTSB7H'
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, JnavLPXPRhrPGpmGZQZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VBIWE5jgNI', 'unhWnoHbdC', 'HpnWUxs8d3', 'DBcWR0WBbF', 'TM4WAjrDCI', 'O6wWcGXspW', 'h0CWkQFFMy'
Source: 0.2.HALKBANK EKSTRE.exe.411e868.3.raw.unpack, AFYUlqhR5MpTr4LumJ.cs	High entropy of concatenated method names: 'Pvj7t9tcrL', 'Wx97IFalDe', 'Wdb7ShEGmo', 'pYS70cyD6S', 'EX87K8FvuH', 'cMe7M5sZ8W', 'vNt7j4Xh8s', 'Bql7h5QkO5', 'tY57bOHuow', 'Beh7NuNR7A'
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, ppVx4qSB7CH0KRB072.cs	High entropy of concatenated method names: 'Dispose', 'mfYXqXw5xa', 'VnuDLXIkp4', 'kFkPnurCxI', 'qaoXmn5H5L', 'y5kXz1YHWX', 'ProcessDialogKey', 'TyFDPL22Rl', 'GCrDXIpjTc', 'IcFDDmVob9'
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, JL22RlqLCrIpjTcacF.cs	High entropy of concatenated method names: 'MTZ1Gr2LsG', 'tXY1Lj5Yvj', 'vJJ1a8cPPf', 'nMv1F6sdLi', 'LPG18UG5lV', 'lY11whg0TT', 'xcd1vXiiQH', 'NtQ1CMkyZs', 'K2m1JgloUc', 'AWg1HjpWSN'
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, KnnRsdUBARhCMDLsqO.cs	High entropy of concatenated method names: 'wilVpgYH6F', 'HKLVQLNTCs', 'wVYVGa6sZI', 'CO1VLceYPm', 'CbTVFig089', 'Oa4V8Jrwxb', 'NEtVvW2ZjA', 'Ho7VCWIhaX', 'qvxVHpufGg', 'MY6VERU9tv'
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, ANC2e1XXW0xGxfYg33d.cs	High entropy of concatenated method names: 'BPtWmrBUPs', 'WoTWz3a9eJ', 'dWVsPFc4xe', 'Y2usXgKttJ', 'SZVsDu5Qj3', 'hr2s7WkoJD', 'lqesgrdvcR', 'LIrst2wMgd', 'nbfsIn965h', 'y08sSXZsDS'
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, YVob99mAduO1iiahqT.cs	High entropy of concatenated method names: 'vfSW0GfdsC', 'Cn0WKn4Bnq', 'NkdWMfjdok', 'uQBWjcQZc7', 'RhJW1ebAV3', 'nAlWhtFY5m', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, SJb6SKQBfnO226RxPN.cs	High entropy of concatenated method names: 'Rfl04WWS2V', 'ous09kmmhl', 'xOA0pnfQcU', 'jGK0QAWPKn', 'eF20BE1BYh', 'Jyn0rJNuTv', 'nF50olq4TY', 'Get0ibQiad', 'KsI01INQZN', 'mt90W4OKCZ'
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, MWBnt9zNCCyZm4FG9Y.cs	High entropy of concatenated method names: 'YCkW9BKR7T', 'DRPWpmXlga', 'eAvWQ1QvoZ', 'iEXWG3m33u', 'C7QWLs0n5V', 'xN2WF7U3LX', 'PNoW8ENATq', 'ipXWdMFBqv', 'KMFWYnQkdH', 'YUOWZ0S7tQ'
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, YElVNf5bENfYXw5xao.cs	High entropy of concatenated method names: 'Hdq1Blpcmc', 'cpj1okDUVH', 'a1I11Tw1YP', 'uZM1sWuy4t', 'rbT1fDNeor', 'rKC1dvqLy4', 'Dispose', 'YdriImcuaa', 'hlAiSp6EqB', 'tKji0WsiUX'
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, Dhv7DNDVdtyC8d3wLt.cs	High entropy of concatenated method names: 'Q0D6j9CFF', 'esl4CuCEG', 'KnE9AeG0Z', 'H8KT4EsR4', 'DkEQpsaYP', 'OpxyqgfQy', 'gSi0jXdlGLcMXSmC5U', 'EkKa5OUPra5wRTJRWZ', 'tZwiR4is7', 'iUaWIYyNT'
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, W6LqIxuVIgSJ2xH84S.cs	High entropy of concatenated method names: 'rn0olvQiee', 'EcYomdpoPF', 'e8IiPoF0gg', 'ETpiXN7Vvx', 'AwMoEKEQtg', 'LfDonu2TCB', 'Du6oUP7U4Q', 'c8LoRGn5Xw', 'gJnoAo6orx', 'D9EocShy8B'
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, J0A2dtg0YnF2HtALOk.cs	High entropy of concatenated method names: 'ajwXjdmZeV', 'Wo8XhaArYT', 'iBfXNnO226', 'RxPXeN30gk', 'NaYXBc1tIe', 'YOCXrB4AaP', 'EfH2iMwnUNDWewAF5h', 'EQm5a4Rj8w0le69pi9', 'uDJXX5xCNL', 'xHfX71INAc'
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, Lsq3vZJAsV2P2hDQ0U.cs	High entropy of concatenated method names: 'HQcjYT69ZQ', 's0pjZnL1A7', 'NJKj6nkRAA', 'aTyj48jMjb', 'k8cj3pmk2M', 'X5Cj9N8CNN', 'aHWjTnDHVs', 'J2OjpwMXfZ', 'WVKjQC8AWG', 'RcIjy6TVGT'
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, EQcvvkvHPy062ds45n.cs	High entropy of concatenated method names: 'LWDjIPdiCr', 'B7ej09u5xY', 'xLwjMMAHLT', 'pRLMmlRc26', 'qJmMzOknAV', 'pSxjP8NkXK', 'G55jXHly8q', 'WdOjD7GI02', 'Drxj75t6XD', 'xfVjg8KnsI'
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, y5JRJd0Cy1lO415glq.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'vpyDqxlCMI', 'nHsDmV63L6', 'PoFDzaZwa3', 'OQ97PplTq3', 'y4i7X82atI', 'lVq7D5mKxF', 'sqn77mGWZx', 'Ec4xmc6ZFb8pUcW2Vd5'
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, CITRObcfv2km8aOFBC.cs	High entropy of concatenated method names: 'ToString', 'kL4rEdj9KU', 'LbjrLG6ulI', 'Lvnra8WceD', 'ns5rFlSeLc', 'GIxr8q94it', 'XMnrw6KyeF', 'fOkrv1oBTg', 'RV4rCGg9vq', 'xhArJoj72O'
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, A0gkGkyP3SqLBHaYc1.cs	High entropy of concatenated method names: 'VtxK34eHdV', 'NJmKTDOEAL', 'GYA0aDMmo4', 'K8w0Figvbc', 'XXm08Falr2', 'yq50wZrQX8', 'Axa0vPjG03', 'TZi0CBge1R', 'PPV0JHrgW9', 'ICy0HL9hu7'
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, eIemOCGB4AaP9VwbVS.cs	High entropy of concatenated method names: 'xrMMtgmWjF', 'p6JMSuu21T', 'OysMK8XxKW', 'c8CMjsJOYs', 'HbHMhc4uxp', 'CjgKxfpj74', 'Q4DKuBJB9c', 'Sr0K5ZfLUc', 'ib5KlOjvPp', 'PofKqJ70Bb'
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, JdmZeVp5o8aArYTNg1.cs	High entropy of concatenated method names: 'LSVSRB09pY', 'KhdSAdgTe8', 'TBuSckv4L3', 'HfOSkdgDTd', 'oaqSxrKYUr', 'sU5Su9pp9K', 'tbmS5IrZ7A', 'dxUSlLgbaL', 'HwuSqDG2Q2', 'sqDSmpiQE5'
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, CQf7xOXg9kpdR0maPtv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'h2M21ZB8DU', 'Exj2WglHdq', 'TRT2s8Ghxa', 'uiL22LU9Ia', 'I0a2fBUHU8', 'KOW2Oobvcg', 'WRQ2dTSB7H'
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, JnavLPXPRhrPGpmGZQZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VBIWE5jgNI', 'unhWnoHbdC', 'HpnWUxs8d3', 'DBcWR0WBbF', 'TM4WAjrDCI', 'O6wWcGXspW', 'h0CWkQFFMy'
Source: 0.2.HALKBANK EKSTRE.exe.8d20000.6.raw.unpack, AFYUlqhR5MpTr4LumJ.cs	High entropy of concatenated method names: 'Pvj7t9tcrL', 'Wx97IFalDe', 'Wdb7ShEGmo', 'pYS70cyD6S', 'EX87K8FvuH', 'cMe7M5sZ8W', 'vNt7j4Xh8s', 'Bql7h5QkO5', 'tY57bOHuow', 'Beh7NuNR7A'

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe

File created: C:\Users\user\AppData\Roaming\gaOQxNyy.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaOQxNyy" /XML "C:\Users\user\AppData\Local\Temp\tmp93F7.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: HALKBANK EKSTRE.exe PID: 6256, type: MEMORYSTR

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Memory allocated: 14D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Memory allocated: 2E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Memory allocated: 16E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Memory allocated: 32F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Memory allocated: 1950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Memory allocated: 1630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Memory allocated: 3180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Memory allocated: 5180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Memory allocated: 15C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Memory allocated: 3240000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Memory allocated: 30C0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5897	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7210	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 718	Jump to behavior

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe TID: 4456	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1448	Thread sleep count: 5897 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3840	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6532	Thread sleep count: 186 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6668	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7068	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6388	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe TID: 7344	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: gaOQxNyy.exe, 00000016.00000002.2461936631.0000000001458000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll [
Source: HALKBANK EKSTRE.exe, 0000000B.00000002.2463063386.00000000015C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe

Code function: 11_2_058F0AB8 LdrInitializeThunk,LdrInitializeThunk,

11_2_058F0AB8

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.HALKBANK EKSTRE.exe.4005220.4.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.HALKBANK EKSTRE.exe.4005220.4.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.HALKBANK EKSTRE.exe.4005220.4.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HALKBANK EKSTRE.exe"
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gaOQxNyy.exe"
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HALKBANK EKSTRE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gaOQxNyy.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Memory written: C:\Users\user\Desktop\HALKBANK EKSTRE.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Memory written: C:\Users\user\AppData\Roaming\gaOQxNyy.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HALKBANK EKSTRE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gaOQxNyy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaOQxNyy" /XML "C:\Users\user\AppData\Local\Temp\tmp93F7.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process created: C:\Users\user\Desktop\HALKBANK EKSTRE.exe "C:\Users\user\Desktop\HALKBANK EKSTRE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process created: C:\Users\user\Desktop\HALKBANK EKSTRE.exe "C:\Users\user\Desktop\HALKBANK EKSTRE.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Process created: C:\Users\user\Desktop\HALKBANK EKSTRE.exe "C:\Users\user\Desktop\HALKBANK EKSTRE.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaOQxNyy" /XML "C:\Users\user\AppData\Local\Temp\tmpA55C.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Process created: C:\Users\user\AppData\Roaming\gaOQxNyy.exe "C:\Users\user\AppData\Roaming\gaOQxNyy.exe"	Jump to behavior

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Queries volume information: C:\Users\user\Desktop\HALKBANK EKSTRE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Queries volume information: C:\Users\user\Desktop\HALKBANK EKSTRE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Queries volume information: C:\Users\user\AppData\Roaming\gaOQxNyy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Queries volume information: C:\Users\user\AppData\Roaming\gaOQxNyy.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.HALKBANK EKSTRE.exe.4005220.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HALKBANK EKSTRE.exe.3f82308.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HALKBANK EKSTRE.exe.3f82308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HALKBANK EKSTRE.exe.4005220.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1261541050.0000000003F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2461072276.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1261541050.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HALKBANK EKSTRE.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gaOQxNyy.exe PID: 7784, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.HALKBANK EKSTRE.exe.4005220.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HALKBANK EKSTRE.exe.3f82308.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HALKBANK EKSTRE.exe.3f82308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HALKBANK EKSTRE.exe.4005220.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1261541050.0000000003F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2461072276.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1261541050.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HALKBANK EKSTRE.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gaOQxNyy.exe PID: 7784, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\HALKBANK EKSTRE.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gaOQxNyy.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 0.2.HALKBANK EKSTRE.exe.4005220.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HALKBANK EKSTRE.exe.3f82308.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HALKBANK EKSTRE.exe.3f82308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HALKBANK EKSTRE.exe.4005220.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1261541050.0000000003F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2464836827.0000000003363000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2461072276.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2464690903.0000000003413000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1261541050.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HALKBANK EKSTRE.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HALKBANK EKSTRE.exe PID: 320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gaOQxNyy.exe PID: 7784, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.HALKBANK EKSTRE.exe.4005220.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HALKBANK EKSTRE.exe.3f82308.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HALKBANK EKSTRE.exe.3f82308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HALKBANK EKSTRE.exe.4005220.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1261541050.0000000003F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2461072276.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1261541050.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HALKBANK EKSTRE.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gaOQxNyy.exe PID: 7784, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.HALKBANK EKSTRE.exe.4005220.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HALKBANK EKSTRE.exe.3f82308.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HALKBANK EKSTRE.exe.3f82308.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HALKBANK EKSTRE.exe.4005220.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1261541050.0000000003F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2461072276.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1261541050.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HALKBANK EKSTRE.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gaOQxNyy.exe PID: 7784, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	11 Security Software Discovery	Distributed Component Object Model	1 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HALKBANK EKSTRE.exe	35%	Virustotal		Browse
HALKBANK EKSTRE.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
HALKBANK EKSTRE.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\gaOQxNyy.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\gaOQxNyy.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
C:\Users\user\AppData\Roaming\gaOQxNyy.exe	35%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	172.67.177.134	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 0000000C.00000002.1375711200.000001E558058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp	false	high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000C.00000002.1375774726.000001E558068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1374842721.000001E558067000.00000004.00000020.00020000.00000000.sdmp	false	high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000C.00000002.1375711200.000001E558058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp	false	high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000000C.00000003.1375174055.000001E558041000.00000004.00000020.00020000.00000000.sdmp	false	high
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 0000000C.00000003.1374761841.000001E55806E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375791611.000001E558070000.00000004.00000020.00020000.00000000.sdmp	false	high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000C.00000002.1375774726.000001E558068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375634616.000001E55802B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1374842721.000001E558067000.00000004.00000020.00020000.00000000.sdmp	false	high
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 0000000C.00000003.1374889298.000001E558062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375634616.000001E55802B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375751810.000001E558063000.00000004.00000020.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.000000000338B000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.00000000032DB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000000C.00000003.1375154641.000001E558047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375174055.000001E558041000.00000004.00000020.00020000.00000000.sdmp	false	high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000C.00000002.1375711200.000001E558058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp	false	high
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=	svchost.exe, 0000000C.00000002.1375672564.000001E558042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1374963255.000001E55805E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375174055.000001E558041000.00000004.00000020.00020000.00000000.sdmp	false	high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000000C.00000003.1374889298.000001E558062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375751810.000001E558063000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.0000000003359000.00000004.00000800.00020000.00000000.sdmp, HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.000000000336E000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.00000000032BE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000C.00000003.1375154641.000001E558047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375174055.000001E558041000.00000004.00000020.00020000.00000000.sdmp	false	high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 0000000C.00000002.1375711200.000001E558058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	HALKBANK EKSTRE.exe, gaOQxNyy.exe.0.dr	false	high
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/	svchost.exe, 0000000C.00000002.1375711200.000001E558058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp	false	high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 0000000C.00000002.1375711200.000001E558058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp	false	high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000000C.00000002.1375711200.000001E558058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp	false	high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000C.00000002.1375672564.000001E558042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1374761841.000001E55806E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1374889298.000001E558062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375060736.000001E55805A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375791611.000001E558070000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375174055.000001E558041000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375751810.000001E558063000.00000004.00000020.00020000.00000000.sdmp	false	high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000000C.00000002.1375634616.000001E55802B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 0000000C.00000003.1375174055.000001E558041000.00000004.00000020.00020000.00000000.sdmp	false	high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000C.00000002.1375672564.000001E558042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375174055.000001E558041000.00000004.00000020.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189l	HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.000000000336E000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.00000000032BE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://dynamic.t	svchost.exe, 0000000C.00000002.1375791611.000001E558070000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375174055.000001E558041000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375751810.000001E558063000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.000000000336E000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.00000000032BE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000C.00000002.1375711200.000001E558058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	HALKBANK EKSTRE.exe, 00000000.00000002.1261541050.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp, HALKBANK EKSTRE.exe, 00000000.00000002.1261541050.0000000003F61000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2461072276.0000000000410000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.000000000336E000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.00000000032BE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.000000000338B000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.00000000032DB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000000C.00000002.1375711200.000001E558058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.000000000336E000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.00000000032BE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.000000000336E000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.00000000032BE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=	svchost.exe, 0000000C.00000002.1375711200.000001E558058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp	false	high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000C.00000003.1374889298.000001E558062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375751810.000001E558063000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.000000000336E000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.00000000032BE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.000000000336E000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.00000000032BE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	HALKBANK EKSTRE.exe, 00000000.00000002.1258234231.000000000301E000.00000004.00000800.00020000.00000000.sdmp, HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 0000000D.00000002.1307259393.000000000323E000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.0000000003241000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.bingmapsportal.com	svchost.exe, 0000000C.00000002.1375611284.000001E558013000.00000004.00000020.00020000.00000000.sdmp	false	high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 0000000C.00000002.1375711200.000001E558058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375190214.000001E558057000.00000004.00000020.00020000.00000000.sdmp	false	high
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000C.00000003.1374889298.000001E558062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1375060736.000001E55805A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375634616.000001E55802B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375751810.000001E558063000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	HALKBANK EKSTRE.exe, 00000000.00000002.1261541050.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp, HALKBANK EKSTRE.exe, 00000000.00000002.1261541050.0000000003F61000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2461072276.0000000000410000.00000040.00000400.00020000.00000000.sdmp	false	high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000C.00000002.1375774726.000001E558068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375634616.000001E55802B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1374842721.000001E558067000.00000004.00000020.00020000.00000000.sdmp	false	high
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000C.00000003.1374761841.000001E55806E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375791611.000001E558070000.00000004.00000020.00020000.00000000.sdmp	false	high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000C.00000003.1375205295.000001E558031000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1374889298.000001E558062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375751810.000001E558063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.1375694330.000001E558055000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1374703617.000001E558053000.00000004.00000020.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	HALKBANK EKSTRE.exe, 00000000.00000002.1261541050.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp, HALKBANK EKSTRE.exe, 00000000.00000002.1261541050.0000000003F61000.00000004.00000800.00020000.00000000.sdmp, HALKBANK EKSTRE.exe, 0000000B.00000002.2464690903.000000000336E000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2464836827.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, gaOQxNyy.exe, 00000016.00000002.2461072276.0000000000410000.00000040.00000400.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false
172.67.177.134	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580267
Start date and time:	2024-12-24 08:23:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	HALKBANK EKSTRE.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@24/15@2/2
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 96% Number of executed functions: 368 Number of non-executed functions: 27
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109, 13.107.246.63, 20.12.23.50
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target gaOQxNyy.exe, PID 7784 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:24:00	API Interceptor	2x Sleep call for process: HALKBANK EKSTRE.exe modified
02:24:03	API Interceptor	27x Sleep call for process: powershell.exe modified
02:24:06	API Interceptor	2x Sleep call for process: gaOQxNyy.exe modified
08:24:04	Task Scheduler	Run new task: gaOQxNyy path: C:\Users\user\AppData\Roaming\gaOQxNyy.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.122.6.168	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	YU SV Payment.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	PAYMENT ADVICE 750013-1012449943-81347-pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
172.67.177.134	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse
	Order_12232024.exe	Get hash	malicious	MassLogger RAT	Browse
	rTTSWIFTCOPIES.exe	Get hash	malicious	MassLogger RAT	Browse
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse
	YU SV Payment.exe	Get hash	malicious	MassLogger RAT	Browse
	PAYMENT ADVICE 750013-1012449943-81347-pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	MT Eagle Asia 11.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Order_12232024.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	rTTSWIFTCOPIES.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	Statement_3029_from_Cross_Traders_and_Logistics_ltd.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
reallyfreegeoip.org	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	MT Eagle Asia 11.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Order_12232024.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	rTTSWIFTCOPIES.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Statement_3029_from_Cross_Traders_and_Logistics_ltd.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	splm68k.elf	Get hash	malicious	Unknown	Browse	129.147.168.111
	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	MT Eagle Asia 11.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Order_12232024.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	rTTSWIFTCOPIES.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	nshkmips.elf	Get hash	malicious	Mirai	Browse	132.145.36.70
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	Statement_3029_from_Cross_Traders_and_Logistics_ltd.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
CLOUDFLARENETUS	eMBO6wS1b5.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.169.205
	qoqD1RxV0F.exe	Get hash	malicious	LummaC	Browse	172.67.195.241
	txUcQFc0aJ.exe	Get hash	malicious	LummaC	Browse	172.67.151.61
	hnskdfgjgar22.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	nabarm5.elf	Get hash	malicious	Unknown	Browse	8.6.115.225
	nklmips.elf	Get hash	malicious	Unknown	Browse	104.29.132.180
	eCompleted_419z.pdf	Get hash	malicious	Unknown	Browse	104.18.95.41
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.177.88
	Adobe GenP 5.exe	Get hash	malicious	LummaC	Browse	104.21.29.252
	Setup_W.exe	Get hash	malicious	LummaC	Browse	104.21.44.57

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	MT Eagle Asia 11.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Order_12232024.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	rTTSWIFTCOPIES.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Statement_3029_from_Cross_Traders_and_Logistics_ltd.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134

Process:	C:\Users\user\Desktop\HALKBANK EKSTRE.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.337066511654157
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhgLE4qXKIE4oKNzKoZAE4Kze0E4qE4x84j:MIHK5HKH1qHiYHKh3ogLHitHo6hAHKze
MD5:	55A2AF8F9FCA3AE99FBA235D3E16A53F
SHA1:	32F34219599006657BFF0B868257916A0C393AAA
SHA-256:	2E0B5859D8501D26669B982BD18005B625352435DB8E1D8B944EED350C1DB0B3
SHA-512:	F6EB6E6AA729963FF23349B6DF3B558896C7B294BF15F6601C4FEF2B1034DEBE207CE04A85F14124CBC41B168157778A23BAA06FCCFE13B0EE262CF2D80FDDA6
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c5619

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gaOQxNyy.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\gaOQxNyy.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.337066511654157
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhgLE4qXKIE4oKNzKoZAE4Kze0E4qE4x84j:MIHK5HKH1qHiYHKh3ogLHitHo6hAHKze
MD5:	55A2AF8F9FCA3AE99FBA235D3E16A53F
SHA1:	32F34219599006657BFF0B868257916A0C393AAA
SHA-256:	2E0B5859D8501D26669B982BD18005B625352435DB8E1D8B944EED350C1DB0B3
SHA-512:	F6EB6E6AA729963FF23349B6DF3B558896C7B294BF15F6601C4FEF2B1034DEBE207CE04A85F14124CBC41B168157778A23BAA06FCCFE13B0EE262CF2D80FDDA6
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c5619

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379552885213346
Encrypted:	false
SSDEEP:	48:fWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//ZM0Uyud:fLHxvCsIfA2KRHmOugr1d
MD5:	0B83A4E419BE32E69DB1DA89BBE712FF
SHA1:	FF2807E8635F7C01F2F062ED9ACAC9E230564442
SHA-256:	8EB534474EDF070FDF65E0EA6F2ADE49FB1503C18F4E2B2C8C520C75F7D74AF2
SHA-512:	6DD3D1249B4061277449EC0B65874C47BF4F346B273F6E61BD23F06466EE478BE69581B71C65135F159FDB4DDEBE09CEB6001789A2A210A2E611039B34981752
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3gr2isbp.sik.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_adpoy34r.410.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bbsb3go1.xvl.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d4yjprsz.2is.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hf5nbjjl.xgg.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p5zxkijf.3w0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uqorsyal.xdy.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z2zmz2n0.wkz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp93F7.tmp

Download File

Process:	C:\Users\user\Desktop\HALKBANK EKSTRE.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1602
Entropy (8bit):	5.121523475153051
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtjJxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTj/v
MD5:	234D63AE9B7B008544BFFA3F0611BA8B
SHA1:	CF1DA79520A74EA98E74BFAC8EF67CECC0CFC4B8
SHA-256:	9982C04BC9061451318E61E6887BF29E5628B795AF62312EAAD2B6A0614495C0
SHA-512:	6A105BF11392F1DE187DCE23300C39DF19557D4AB4F90229D6DF3435C5784226F0411A6FF1E0065F80C614025B100A54DE1F901E59A91A652A68E03A45B739D1
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmpA55C.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\gaOQxNyy.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1602
Entropy (8bit):	5.121523475153051
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtjJxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTj/v
MD5:	234D63AE9B7B008544BFFA3F0611BA8B
SHA1:	CF1DA79520A74EA98E74BFAC8EF67CECC0CFC4B8
SHA-256:	9982C04BC9061451318E61E6887BF29E5628B795AF62312EAAD2B6A0614495C0
SHA-512:	6A105BF11392F1DE187DCE23300C39DF19557D4AB4F90229D6DF3435C5784226F0411A6FF1E0065F80C614025B100A54DE1F901E59A91A652A68E03A45B739D1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Roaming\gaOQxNyy.exe

Download File

Process:	C:\Users\user\Desktop\HALKBANK EKSTRE.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	829960
Entropy (8bit):	6.803147940478187
Encrypted:	false
SSDEEP:	12288:NFuJqM7POd5AkCU8Ke7/EFK5WjAUUyLnmqZiqzWOfDkX1pKPrFvkR:NFuJj7POdSLU3eGKM0UndbfAXarI
MD5:	50424FD9B7BEFB9448AD8CDE1C5522E8
SHA1:	9DF450F22397BE8631A2B8092843BA0E180CA8B7
SHA-256:	038849DB19818C7136FE0A551B3F1B9AB11D51390AB2F4197F9F7C5FF16F6A8F
SHA-512:	FE5DCF184826F2FBCF9959755F4A02FB23415692927E8E44B889511CB602F07C3A1359526AA27FF415A785D7662EA16C8A143FED50EA70844B43B3941696D121
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63% Antivirus: Virustotal, Detection: 35%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y.................0..4...>.......Q... ...`....@.. ....................................@..................................Q..O....`...:...........t...6..............p............................................ ............... ..H............text...\2... ...4.................. ..`.rsrc....:...`...<...6..............@..@.reloc...............r..............@..B.................Q......H.......d...`.......(....X...............................................0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3.V....{....s....o.....Z..{....%-.&+...o........0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3.V....{....s....o.....Z..{....%-.&+...o........0..)........{.........(....t......\|......(...+...3.*....0..)........{.........(....t......\|....

C:\Users\user\AppData\Roaming\gaOQxNyy.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\HALKBANK EKSTRE.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.803147940478187
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	HALKBANK EKSTRE.exe
File size:	829'960 bytes
MD5:	50424fd9b7befb9448ad8cde1c5522e8
SHA1:	9df450f22397be8631a2b8092843ba0e180ca8b7
SHA256:	038849db19818c7136fe0a551b3f1b9ab11d51390ab2f4197f9f7c5ff16f6a8f
SHA512:	fe5dcf184826f2fbcf9959755f4a02fb23415692927e8e44b889511cb602f07c3a1359526aa27ff415a785d7662ea16c8a143fed50ea70844b43b3941696d121
SSDEEP:	12288:NFuJqM7POd5AkCU8Ke7/EFK5WjAUUyLnmqZiqzWOfDkX1pKPrFvkR:NFuJj7POdSLU3eGKM0UndbfAXarI
TLSH:	2C05E051214CDA06E83E13F10472E5FD07756EAEE920E60E5EDEBCFB7632742290691B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y.................0..4...>.......Q... ...`....@.. ....................................@................................

File Icon


Icon Hash:	98e2a3b29b9ba181

Static PE Info

General

Entrypoint:	0x4951d6
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xB0B48F79 [Tue Dec 11 18:27:05 2063 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/11/2018 19:00:00 08/11/2021 18:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add dword ptr [eax], eax
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
or byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
and byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax+00000000h], al
add dword ptr [eax], eax
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
or byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
and byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax+00530000h], al
jns 00007F92ACB7DD02h
jnc 00007F92ACB7DD02h
je 00007F92ACB7DD02h
add byte ptr [ebp+00h], ch
add byte ptr [edx+00h], dl
add byte ptr [esi+00h], ah
insb
add byte ptr [ebp+00h], ah
arpl word ptr [eax], ax
je 00007F92ACB7DD02h
imul eax, dword ptr [eax], 006E006Fh
add byte ptr [ecx+00h], al
jnc 00007F92ACB7DD02h
jnc 00007F92ACB7DD02h
add byte ptr [ebp+00h], ch
bound eax, dword ptr [eax]
insb
add byte ptr [ecx+00h], bh
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
add byte ptr [edi+00h], ch
popad
add byte ptr [eax+eax+00h], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x95181	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x96000	0x33ab4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xc7400	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xca000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x91fb4	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9325c	0x93400	18c22fe1668623939299b8e565b9acdf	False	0.8494303109083192	data	7.58895397277786	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x96000	0x33ab4	0x33c00	230bb0a9c6fd097de22f217cdf60ce51	False	0.13759152324879226	data	3.0432598688253516	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xca000	0xc	0x200	fced46b99ad64f3804d8264c5c97f53b	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x96130	0x33428	Device independent bitmap graphic, 198 x 512 x 32, image size 202752, resolution 7874 x 7874 px/m	0.13495903981710802
RT_GROUP_ICON	0xc9558	0x14	data	1.05
RT_VERSION	0xc956c	0x35c	data	0.4197674418604651
RT_MANIFEST	0xc98c8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-24T08:24:05.945728+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49706	193.122.6.168	80	TCP
2024-12-24T08:24:10.414412+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49710	193.122.6.168	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 08:24:03.905589104 CET	49706	80	192.168.2.7	193.122.6.168
Dec 24, 2024 08:24:04.025072098 CET	80	49706	193.122.6.168	192.168.2.7
Dec 24, 2024 08:24:04.027501106 CET	49706	80	192.168.2.7	193.122.6.168
Dec 24, 2024 08:24:04.027879000 CET	49706	80	192.168.2.7	193.122.6.168
Dec 24, 2024 08:24:04.147427082 CET	80	49706	193.122.6.168	192.168.2.7
Dec 24, 2024 08:24:05.295635939 CET	80	49706	193.122.6.168	192.168.2.7
Dec 24, 2024 08:24:05.315356016 CET	49706	80	192.168.2.7	193.122.6.168
Dec 24, 2024 08:24:05.434910059 CET	80	49706	193.122.6.168	192.168.2.7
Dec 24, 2024 08:24:05.827794075 CET	80	49706	193.122.6.168	192.168.2.7
Dec 24, 2024 08:24:05.945728064 CET	49706	80	192.168.2.7	193.122.6.168
Dec 24, 2024 08:24:05.975858927 CET	49708	443	192.168.2.7	172.67.177.134
Dec 24, 2024 08:24:05.975922108 CET	443	49708	172.67.177.134	192.168.2.7
Dec 24, 2024 08:24:05.976006985 CET	49708	443	192.168.2.7	172.67.177.134
Dec 24, 2024 08:24:05.984911919 CET	49708	443	192.168.2.7	172.67.177.134
Dec 24, 2024 08:24:05.984951019 CET	443	49708	172.67.177.134	192.168.2.7
Dec 24, 2024 08:24:07.405589104 CET	443	49708	172.67.177.134	192.168.2.7
Dec 24, 2024 08:24:07.405703068 CET	49708	443	192.168.2.7	172.67.177.134
Dec 24, 2024 08:24:07.410264015 CET	49708	443	192.168.2.7	172.67.177.134
Dec 24, 2024 08:24:07.410300016 CET	443	49708	172.67.177.134	192.168.2.7
Dec 24, 2024 08:24:07.410629034 CET	443	49708	172.67.177.134	192.168.2.7
Dec 24, 2024 08:24:07.474009991 CET	49708	443	192.168.2.7	172.67.177.134
Dec 24, 2024 08:24:07.515363932 CET	443	49708	172.67.177.134	192.168.2.7
Dec 24, 2024 08:24:07.891052961 CET	443	49708	172.67.177.134	192.168.2.7
Dec 24, 2024 08:24:07.891235113 CET	443	49708	172.67.177.134	192.168.2.7
Dec 24, 2024 08:24:07.891298056 CET	49708	443	192.168.2.7	172.67.177.134
Dec 24, 2024 08:24:07.905061007 CET	49708	443	192.168.2.7	172.67.177.134
Dec 24, 2024 08:24:08.123928070 CET	49710	80	192.168.2.7	193.122.6.168
Dec 24, 2024 08:24:08.245142937 CET	80	49710	193.122.6.168	192.168.2.7
Dec 24, 2024 08:24:08.245558977 CET	49710	80	192.168.2.7	193.122.6.168
Dec 24, 2024 08:24:08.245937109 CET	49710	80	192.168.2.7	193.122.6.168
Dec 24, 2024 08:24:08.365443945 CET	80	49710	193.122.6.168	192.168.2.7
Dec 24, 2024 08:24:09.800808907 CET	80	49710	193.122.6.168	192.168.2.7
Dec 24, 2024 08:24:09.806579113 CET	49710	80	192.168.2.7	193.122.6.168
Dec 24, 2024 08:24:09.926242113 CET	80	49710	193.122.6.168	192.168.2.7
Dec 24, 2024 08:24:10.276264906 CET	80	49710	193.122.6.168	192.168.2.7
Dec 24, 2024 08:24:10.278506994 CET	49711	443	192.168.2.7	172.67.177.134
Dec 24, 2024 08:24:10.278538942 CET	443	49711	172.67.177.134	192.168.2.7
Dec 24, 2024 08:24:10.278675079 CET	49711	443	192.168.2.7	172.67.177.134
Dec 24, 2024 08:24:10.282855988 CET	49711	443	192.168.2.7	172.67.177.134
Dec 24, 2024 08:24:10.282864094 CET	443	49711	172.67.177.134	192.168.2.7
Dec 24, 2024 08:24:10.414412022 CET	49710	80	192.168.2.7	193.122.6.168
Dec 24, 2024 08:24:11.515239954 CET	443	49711	172.67.177.134	192.168.2.7
Dec 24, 2024 08:24:11.515327930 CET	49711	443	192.168.2.7	172.67.177.134
Dec 24, 2024 08:24:11.517115116 CET	49711	443	192.168.2.7	172.67.177.134
Dec 24, 2024 08:24:11.517121077 CET	443	49711	172.67.177.134	192.168.2.7
Dec 24, 2024 08:24:11.517411947 CET	443	49711	172.67.177.134	192.168.2.7
Dec 24, 2024 08:24:11.578445911 CET	49711	443	192.168.2.7	172.67.177.134
Dec 24, 2024 08:24:11.623337030 CET	443	49711	172.67.177.134	192.168.2.7
Dec 24, 2024 08:24:11.967592955 CET	443	49711	172.67.177.134	192.168.2.7
Dec 24, 2024 08:24:11.967756033 CET	443	49711	172.67.177.134	192.168.2.7
Dec 24, 2024 08:24:11.967839003 CET	49711	443	192.168.2.7	172.67.177.134
Dec 24, 2024 08:24:11.972040892 CET	49711	443	192.168.2.7	172.67.177.134
Dec 24, 2024 08:25:10.764286995 CET	80	49706	193.122.6.168	192.168.2.7
Dec 24, 2024 08:25:10.764514923 CET	49706	80	192.168.2.7	193.122.6.168
Dec 24, 2024 08:25:15.270893097 CET	80	49710	193.122.6.168	192.168.2.7
Dec 24, 2024 08:25:15.271102905 CET	49710	80	192.168.2.7	193.122.6.168
Dec 24, 2024 08:25:45.837171078 CET	49706	80	192.168.2.7	193.122.6.168
Dec 24, 2024 08:25:45.956759930 CET	80	49706	193.122.6.168	192.168.2.7
Dec 24, 2024 08:25:50.290117979 CET	49710	80	192.168.2.7	193.122.6.168
Dec 24, 2024 08:25:50.409712076 CET	80	49710	193.122.6.168	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 08:24:03.751411915 CET	52446	53	192.168.2.7	1.1.1.1
Dec 24, 2024 08:24:03.888551950 CET	53	52446	1.1.1.1	192.168.2.7
Dec 24, 2024 08:24:05.830769062 CET	53679	53	192.168.2.7	1.1.1.1
Dec 24, 2024 08:24:05.975100994 CET	53	53679	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 24, 2024 08:24:03.751411915 CET	192.168.2.7	1.1.1.1	0x8386	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:24:05.830769062 CET	192.168.2.7	1.1.1.1	0x5e6b	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 24, 2024 08:24:03.888551950 CET	1.1.1.1	192.168.2.7	0x8386	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 24, 2024 08:24:03.888551950 CET	1.1.1.1	192.168.2.7	0x8386	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:24:03.888551950 CET	1.1.1.1	192.168.2.7	0x8386	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:24:03.888551950 CET	1.1.1.1	192.168.2.7	0x8386	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:24:03.888551950 CET	1.1.1.1	192.168.2.7	0x8386	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:24:03.888551950 CET	1.1.1.1	192.168.2.7	0x8386	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:24:05.975100994 CET	1.1.1.1	192.168.2.7	0x5e6b	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:24:05.975100994 CET	1.1.1.1	192.168.2.7	0x5e6b	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49706	193.122.6.168	80	320	C:\Users\user\Desktop\HALKBANK EKSTRE.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:24:04.027879000 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 24, 2024 08:24:05.295635939 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 07:24:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 24, 2024 08:24:05.315356016 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 24, 2024 08:24:05.827794075 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 07:24:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49710	193.122.6.168	80	7784	C:\Users\user\AppData\Roaming\gaOQxNyy.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 08:24:08.245937109 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 24, 2024 08:24:09.800808907 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 07:24:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 24, 2024 08:24:09.806579113 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 24, 2024 08:24:10.276264906 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 07:24:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49708	172.67.177.134	443	320	C:\Users\user\Desktop\HALKBANK EKSTRE.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 07:24:07 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-24 07:24:07 UTC	860	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 07:24:07 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 339836 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1Ic%2FTi4%2BEhnXZ8YHda1q9%2B7%2FtyRAAfjWqljPLSW328OZ9CQw4MX%2Bg8lJpLBwbSgX7RBde6bA0J8PJ3YTfQ0V9%2FpoEpXxkq5lla7t35w0jqlyYe5otKblXIxHW4inEaknIgE6Dzd3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6ed9942d4142b5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1745&min_rtt=1736&rtt_var=669&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1614151&cwnd=218&unsent_bytes=0&cid=b57c672778cf1070&ts=474&x=0"
2024-12-24 07:24:07 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49711	172.67.177.134	443	7784	C:\Users\user\AppData\Roaming\gaOQxNyy.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 07:24:11 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-24 07:24:11 UTC	856	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 07:24:11 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 339840 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ktJED2UQ0JC04LDqayRH%2FEWRgprfC4xG6nGDhUGm2Vk8Tp3W6bj8dj%2B7i3W2pBB6pOhjqpZmHwIh6R6WUqwJcBZSUP5MEnYWU4BQJ0mtiDDboDmRdKdyGUixKdKQhFzG%2FGo%2F0ZMm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6ed9adbf068ce8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1955&min_rtt=1951&rtt_var=739&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1472516&cwnd=237&unsent_bytes=0&cid=455d84339bd0e7ea&ts=458&x=0"
2024-12-24 07:24:11 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	02:23:59
Start date:	24/12/2024
Path:	C:\Users\user\Desktop\HALKBANK EKSTRE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HALKBANK EKSTRE.exe"
Imagebase:	0xae0000
File size:	829'960 bytes
MD5 hash:	50424FD9B7BEFB9448AD8CDE1C5522E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1261541050.0000000003F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1261541050.0000000003F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1261541050.0000000003F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1261541050.0000000003F61000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1261541050.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1261541050.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1261541050.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1261541050.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:24:02
Start date:	24/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HALKBANK EKSTRE.exe"
Imagebase:	0x6f0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:24:02
Start date:	24/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:24:02
Start date:	24/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gaOQxNyy.exe"
Imagebase:	0x6f0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:24:02
Start date:	24/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:24:02
Start date:	24/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaOQxNyy" /XML "C:\Users\user\AppData\Local\Temp\tmp93F7.tmp"
Imagebase:	0x560000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:24:02
Start date:	24/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:24:02
Start date:	24/12/2024
Path:	C:\Users\user\Desktop\HALKBANK EKSTRE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\HALKBANK EKSTRE.exe"
Imagebase:	0x300000
File size:	829'960 bytes
MD5 hash:	50424FD9B7BEFB9448AD8CDE1C5522E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:24:02
Start date:	24/12/2024
Path:	C:\Users\user\Desktop\HALKBANK EKSTRE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\HALKBANK EKSTRE.exe"
Imagebase:	0x250000
File size:	829'960 bytes
MD5 hash:	50424FD9B7BEFB9448AD8CDE1C5522E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:24:02
Start date:	24/12/2024
Path:	C:\Users\user\Desktop\HALKBANK EKSTRE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HALKBANK EKSTRE.exe"
Imagebase:	0xe90000
File size:	829'960 bytes
MD5 hash:	50424FD9B7BEFB9448AD8CDE1C5522E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2464690903.0000000003413000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	02:24:03
Start date:	24/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:24:04
Start date:	24/12/2024
Path:	C:\Users\user\AppData\Roaming\gaOQxNyy.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\gaOQxNyy.exe
Imagebase:	0xe00000
File size:	829'960 bytes
MD5 hash:	50424FD9B7BEFB9448AD8CDE1C5522E8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs Detection: 35%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:24:04
Start date:	24/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	02:24:06
Start date:	24/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gaOQxNyy" /XML "C:\Users\user\AppData\Local\Temp\tmpA55C.tmp"
Imagebase:	0x560000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	02:24:07
Start date:	24/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	02:24:07
Start date:	24/12/2024
Path:	C:\Users\user\AppData\Roaming\gaOQxNyy.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\gaOQxNyy.exe"
Imagebase:	0xda0000
File size:	829'960 bytes
MD5 hash:	50424FD9B7BEFB9448AD8CDE1C5522E8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.2464836827.0000000003363000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000016.00000002.2461072276.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.2461072276.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000016.00000002.2461072276.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000016.00000002.2461072276.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	71
Total number of Limit Nodes:	1

Executed Functions

Function 071E8C78 Relevance: 5.0, Strings: 3, Instructions: 1232COMMON

Download Yara Rule

Strings

[0, xrefs: 071E9A50
k0, xrefs: 071E9AA7
;(, xrefs: 071E9BF6

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID: ;($[0$k0
API String ID: 0-1095498047
Opcode ID: 325c3e9b8c53162c5bd14e79ab550eeaf0d174523927d8175da6628f36eca78d
Instruction ID: 0425185ce0f9ff9057c1ab44ebad40c52355b251ac45da6a5e2239e218768b8c
Opcode Fuzzy Hash: 325c3e9b8c53162c5bd14e79ab550eeaf0d174523927d8175da6628f36eca78d
Instruction Fuzzy Hash: 67B249B4B00615CFDB25DF29C894A69B7F6FF89210F1584A9E40ADB3A1DB31EC81CB51

Function 075D0E78 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b449dc5d1cd72c011462842e791cd456dc566f8dffeca18a7664d02dafed0e45
Instruction ID: f6c0f62ea80ccd1e8e6c38933d32708bbf6c502197baf50dcb6a630fd0e54c66
Opcode Fuzzy Hash: b449dc5d1cd72c011462842e791cd456dc566f8dffeca18a7664d02dafed0e45
Instruction Fuzzy Hash: EE426BB0B006058FDB24DF68C584AAABBF6FF89300F158469E906DB391DB74EC45CB91

Function 071E4690 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c0f06260219e416d6374675699c9a6cd4f9f41ab9e0d4e05e9638fd249c037
Instruction ID: c6298b865b754872dee2060c4928be16bb2bd11ae8827dbf25abd416b7d6e540
Opcode Fuzzy Hash: e5c0f06260219e416d6374675699c9a6cd4f9f41ab9e0d4e05e9638fd249c037
Instruction Fuzzy Hash: C24290B1A00781CFDB29CF65D54466AB7FAFF88315F544429E942CB6D0CB39E882CB50

Function 071E58C0 Relevance: .6, Instructions: 568COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3ce089645043c408b74334ed446cf51bc1fe589de1560363450254aed4dca5
Instruction ID: 706604834b90b094bd493b34bff4f5a94c12cd19f5c1656a60a4e43aec2b5dbe
Opcode Fuzzy Hash: 1b3ce089645043c408b74334ed446cf51bc1fe589de1560363450254aed4dca5
Instruction Fuzzy Hash: 88325D74A00606CFDB18CF58C884AAEBBF6FF89304F158559E446AB3A5D770ED91CB90

Function 071E5058 Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 982ceb7321b76fbffe61d243dedb192a54112d57a1e22bec8aa3e2ec5d94ba8a
Instruction ID: f85e6f813c135b1b33828dbac97c73c2009cbdc466cd6766940b613cd426eaf5
Opcode Fuzzy Hash: 982ceb7321b76fbffe61d243dedb192a54112d57a1e22bec8aa3e2ec5d94ba8a
Instruction Fuzzy Hash: FC1257B0A107018FDB29DBA9D99866ABBF7FF89305B14842CE506C7790CF74AC46DB50

Function 075D0710 Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2cf82ff9fd72a7b594c604f932c5c532e222344d8d935eb2b169ecf86c5529
Instruction ID: d44ee5f5e0e614a44bde33948dd06a0e5fbe5fd85a8196441ca50ae88f4607cc
Opcode Fuzzy Hash: fa2cf82ff9fd72a7b594c604f932c5c532e222344d8d935eb2b169ecf86c5529
Instruction Fuzzy Hash: 91124DB5A002058FDB15DF68D584AAABBF2FF88300F59C599D509DB362CB34ED45CBA0

Function 071E2948 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 799aa16383961b948b2b5f06676c3de83d09d5d4fe2123385da683d4275c1c5f
Instruction ID: 5d868e974469d023984c2b3a5bc4fe2c43f1723c84958ae14d55ac63475d7e8a
Opcode Fuzzy Hash: 799aa16383961b948b2b5f06676c3de83d09d5d4fe2123385da683d4275c1c5f
Instruction Fuzzy Hash: CEF14270A10609DFDB18DFA4D854AADBBF6FF88310F148569E816AB395DB34DC46CB40

Function 071CDF29 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5767e0f30497318fe0efa34e801ad287ee403fd3843cc687d8122ca7695d4407
Instruction ID: 1bc0f03e1a09862cf356a4a20eff14adf61909be8db6a03b9c123e52d42a9a31
Opcode Fuzzy Hash: 5767e0f30497318fe0efa34e801ad287ee403fd3843cc687d8122ca7695d4407
Instruction Fuzzy Hash: FBF17AB5A00705CFDB25CFA9C584AAABBF2BF58300F14856DE44A9B791D735E84ACB40

Function 01583E28 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1257455747.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36daf8c835b75c70970f0daecf18f6d6db8652594b90a98e12a5de16ab6fb3d9
Instruction ID: 4cf68c3f0e48015ea74ee3c8448cb6c6c9f7c2387270dd408004a2aea6acd41f
Opcode Fuzzy Hash: 36daf8c835b75c70970f0daecf18f6d6db8652594b90a98e12a5de16ab6fb3d9
Instruction Fuzzy Hash: 54D19274E002188FDB64DFA9D994B9DBBB2FF88300F1085AAD509AB365DB319D46CF50

Function 01587019 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1257455747.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a263d51ca29b77b39ff36ea7ee70fb9e55b7fceb9c4e6304b2f070f31cb1ec
Instruction ID: 27bf55048c45a98acea0b44bc55599ab3f977c38cbdb02e4ff39f2c5dae172e2
Opcode Fuzzy Hash: 15a263d51ca29b77b39ff36ea7ee70fb9e55b7fceb9c4e6304b2f070f31cb1ec
Instruction Fuzzy Hash: 95B1A174E01218CFDB54DFA9D994A9DBBF2BF88300F1085AAD419AB365DB31AD42CF50

Function 071EC1B0 Relevance: 3.3, Instructions: 3266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b66280755cf4ee58172b0f6662079000e5ea375063ecbdf012e440a2b118297d
Instruction ID: f2699fac87b40f237af37a21d47187e5253889fe708205cfe04c09bd3f32186f
Opcode Fuzzy Hash: b66280755cf4ee58172b0f6662079000e5ea375063ecbdf012e440a2b118297d
Instruction Fuzzy Hash: 99636CB0A50218AFEB359B50CD55BEEB672FF89700F1040E9E2097B6D0CA761E81DF59

Function 075DEBB2 Relevance: 2.7, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%*&/)(#$^@!~-_, xrefs: 075DEBE9
0,Wq, xrefs: 075DEC12

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID: %*&/)(#$^@!~-_$0,Wq
API String ID: 0-1692081166
Opcode ID: ec08e3123b0b6668f128fa305b4e455cc72e740797db4b1c95d2a78039dd222f
Instruction ID: b517412a70797f2c61c22e5f4a6724a3beba197065a010e3eb2200b41a8cfda7
Opcode Fuzzy Hash: ec08e3123b0b6668f128fa305b4e455cc72e740797db4b1c95d2a78039dd222f
Instruction Fuzzy Hash: 03518131F00218AFD714BB68D8467EE7BB2EF89300F1588A9D8819F295DE766D49C781

Function 075DEBC0 Relevance: 2.7, Strings: 2, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%*&/)(#$^@!~-_, xrefs: 075DEBE9
0,Wq, xrefs: 075DEC12

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID: %*&/)(#$^@!~-_$0,Wq
API String ID: 0-1692081166
Opcode ID: 128e8bf79b2dce9271114415661635d1231075b17f2ac027a5cc130719ff2fbd
Instruction ID: 08afa7f85e23ccaf828be2c693e7a74474f1e552a4e14dcae40ab1d58fa146a7
Opcode Fuzzy Hash: 128e8bf79b2dce9271114415661635d1231075b17f2ac027a5cc130719ff2fbd
Instruction Fuzzy Hash: C6517131F002189FD714BB68D84A7AE7BB2EFC8300F1584A9D8859F395DE766D49C781

Function 071C9E50 Relevance: 1.8, Strings: 1, Instructions: 546
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

7, xrefs: 071C9F3C

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: e19c9d3a31a74a1446f2931a0c09fe37e8c7e876bc146f449067dd2005eb62e1
Instruction ID: ecec54a16ea5078774ae2f1c8fdc8ba3226ad21d7b51bb8da0c87adf93ede711
Opcode Fuzzy Hash: e19c9d3a31a74a1446f2931a0c09fe37e8c7e876bc146f449067dd2005eb62e1
Instruction Fuzzy Hash: 9A22A0B0600209CFDB16CFA4C854BAEBBB6FF95310F25C469E5069B291DB35E941CB91

Function 0767D60C Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0767D84E

Memory Dump Source

Source File: 00000000.00000002.1271689458.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7670000_HALKBANK EKSTRE.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 00160da7fd1beef12c62ec94173fadd4ed2a5522cda9d325a31eea04878bbdae
Instruction ID: 90cadd2e609b6afd519cb8d31682ccbf0a6e1f795aa1c156d8b79621309c8461
Opcode Fuzzy Hash: 00160da7fd1beef12c62ec94173fadd4ed2a5522cda9d325a31eea04878bbdae
Instruction Fuzzy Hash: 1CA15DB1E0021ACFDB24DF69C841BEDBBB2BF48354F148569D80AA7240DB759985CF91

Function 0767D618 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0767D84E

Memory Dump Source

Source File: 00000000.00000002.1271689458.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7670000_HALKBANK EKSTRE.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ce6dab4d087bebb6c9bc192b56663a58d1bf8f585ef9e7f35f72245a3b47bc6e
Instruction ID: 802515a9c0f8b021c596a3213f763aaa89ab012ba231e28391fb229f5a179a54
Opcode Fuzzy Hash: ce6dab4d087bebb6c9bc192b56663a58d1bf8f585ef9e7f35f72245a3b47bc6e
Instruction Fuzzy Hash: 80915EB1E0025ACFEB24DF69CC40BEDBBB2BF48354F148569D80AA7240DB759985CF91

Function 0158B417 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0158B67E

Memory Dump Source

Source File: 00000000.00000002.1257455747.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_HALKBANK EKSTRE.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 87b7b160761cb7b6745369cde4ffdc344049e95bb090fddbad9e34752b5e62a3
Instruction ID: 129a0491f243f2aac7d07e875ac70ead41f6e6a16c6d6b41ba25cc73e41f6f1a
Opcode Fuzzy Hash: 87b7b160761cb7b6745369cde4ffdc344049e95bb090fddbad9e34752b5e62a3
Instruction Fuzzy Hash: 2D815A70A00B058FDB24EF69D45575ABBF5FF88304F00892ED486EBA50E775E849CB91

Function 015844B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015859C9

Memory Dump Source

Source File: 00000000.00000002.1257455747.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_HALKBANK EKSTRE.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 73db2fe1bdcd6be379bb620994509f920b99252864fa8ed672b7fe0cb4f419f4
Instruction ID: a0d3f2c13c98352372014812de0d9ad17e6689525b2eb3835db70449d0bee3e7
Opcode Fuzzy Hash: 73db2fe1bdcd6be379bb620994509f920b99252864fa8ed672b7fe0cb4f419f4
Instruction Fuzzy Hash: 2A41B071C10719CBEB24DFAAC884BDDBBF5BF49304F20846AD508AB251DBB56946CF90

Function 0158590D Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015859C9

Memory Dump Source

Source File: 00000000.00000002.1257455747.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_HALKBANK EKSTRE.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 11129b83963bb56c998bdb0a7f4f30d2e0dff4f8f54c6a3ac70bf30ab51c0459
Instruction ID: 24fbcdb2f6d0e7ce4149c54fa5245d70da4f2f4edbcfb92cce71082f7b2c0438
Opcode Fuzzy Hash: 11129b83963bb56c998bdb0a7f4f30d2e0dff4f8f54c6a3ac70bf30ab51c0459
Instruction Fuzzy Hash: 2441DFB0C00718CFEB24DFAAC884BDDBBB1BF49304F20846AD508AB251DBB55946CF50

Function 071C8EF8 Relevance: 1.6, Strings: 1, Instructions: 326
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&, xrefs: 071C8F7D

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID: &
API String ID: 0-1010288
Opcode ID: 3b1be6f4fee8998082a90539660baecbed9b098e5c6c96e902a6b79733053338
Instruction ID: 4d0f0360498aa2f0e01e1456e167e4c405b037b7e1b95a06039fccc164dab9b1
Opcode Fuzzy Hash: 3b1be6f4fee8998082a90539660baecbed9b098e5c6c96e902a6b79733053338
Instruction Fuzzy Hash: BBC1CDB47106028FCB19DFB4959053A77E6BFA525074689ADC8868B3C1DF38EC06CBA1

Function 0767D078 Relevance: 1.6, APIs: 1, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0767D100

Memory Dump Source

Source File: 00000000.00000002.1271689458.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7670000_HALKBANK EKSTRE.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6112ed134f5f0563ae525b3ad44a336bf179f96019685fc2bc90a5489e8676cc
Instruction ID: 96180ac559146121e5e6e3a6ce221d86a3c2406c94abed631c2570bca61d0d3a
Opcode Fuzzy Hash: 6112ed134f5f0563ae525b3ad44a336bf179f96019685fc2bc90a5489e8676cc
Instruction Fuzzy Hash: 1A2147B2D002499FDB10CFAAD881BEEBBF0FF48360F10882AD959A7240C7799551DB64

Function 0547A1D8 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0547A277

Memory Dump Source

Source File: 00000000.00000002.1266759055.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_HALKBANK EKSTRE.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 4e7e58ec5b4abe218d5c457bb7370d7f5325ce5d0dc3e48949969cfff11ac8ce
Instruction ID: 7e6e2b12dea36833ecc8a67441bb61ced705822ae2725a45ebce955c49401fc1
Opcode Fuzzy Hash: 4e7e58ec5b4abe218d5c457bb7370d7f5325ce5d0dc3e48949969cfff11ac8ce
Instruction Fuzzy Hash: C231DDB5D003499FDB14CF9AD884ADEBBF4FB48220F24842AE819A7310D775A944CFA4

Function 0767CF8C Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0767D020

Memory Dump Source

Source File: 00000000.00000002.1271689458.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7670000_HALKBANK EKSTRE.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2a399d90b8f3864bf4da3c08f36cc015654e8c5fe4c2a4d6d1f493b7d46ae3dc
Instruction ID: 7307e34bec6f8c720363c9e9c132af9b561276e6737dff1d35e97244d0587fca
Opcode Fuzzy Hash: 2a399d90b8f3864bf4da3c08f36cc015654e8c5fe4c2a4d6d1f493b7d46ae3dc
Instruction Fuzzy Hash: F62137B59003499FDB20CFAAC880BDEBBF1FF48310F14842EE959A7240C7789940CB64

Function 0547A1E0 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0547A277

Memory Dump Source

Source File: 00000000.00000002.1266759055.0000000005470000.00000040.00000800.00020000.00000000.sdmp, Offset: 05470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5470000_HALKBANK EKSTRE.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 5c6c51ea7894a5757b6f93aed5fbfff92ebc15ebf013bcc2c91f7c2782e6a51c
Instruction ID: f86df19cb333fb6bf9b22fe2d2f051c321d2a7b7e00ed8c2d0c6fb0716136430
Opcode Fuzzy Hash: 5c6c51ea7894a5757b6f93aed5fbfff92ebc15ebf013bcc2c91f7c2782e6a51c
Instruction Fuzzy Hash: 6A21CEB5D002499FDB14CF9AD884ADEBBF5FB48220F24842AE919A7310D775A944CFA4

Function 0767CF90 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0767D020

Memory Dump Source

Source File: 00000000.00000002.1271689458.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7670000_HALKBANK EKSTRE.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9cc3886f151e32784f3e11b54e523d9cda5236449558321a104ae8001f731247
Instruction ID: 2b432534edf35a1271bb49660e5e6d5f7b5c273826f42da33d3586f8d3eb6d3e
Opcode Fuzzy Hash: 9cc3886f151e32784f3e11b54e523d9cda5236449558321a104ae8001f731247
Instruction Fuzzy Hash: FE212AB59003499FDB14CFAAC880BDEBBF5FF48350F10842AE919A7240C7799940CB64

Function 0158B314 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0158D8CE,?,?,?,?,?), ref: 0158D98F

Memory Dump Source

Source File: 00000000.00000002.1257455747.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_HALKBANK EKSTRE.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 50a6a1e8ef1a4b4004a59f0ee3b29153a393860e88823d5807ef33949e7662be
Instruction ID: 584c39786f75078d60108b17b8f39bb01a3073b5be83a451152538a95be9dae4
Opcode Fuzzy Hash: 50a6a1e8ef1a4b4004a59f0ee3b29153a393860e88823d5807ef33949e7662be
Instruction Fuzzy Hash: 5721E3B5900248AFDB10DF9AD884ADEBBF5FB48310F14841AE958A7350D379A950CFA5

Function 0767C9BA Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0767CA3E

Memory Dump Source

Source File: 00000000.00000002.1271689458.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7670000_HALKBANK EKSTRE.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 17d07eda577e1f939004a5acd06f0824e1c612db5240e78b98082baf94702414
Instruction ID: ba6822103171e89ae5cf631d5b706ece1d00a9b2117390ba12cb7938aa682284
Opcode Fuzzy Hash: 17d07eda577e1f939004a5acd06f0824e1c612db5240e78b98082baf94702414
Instruction Fuzzy Hash: BC2138B1D003098FDB24CFAAD485BEEBBF4EF48354F14842AD819A7640CB789945CFA4

Function 0158D900 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0158D8CE,?,?,?,?,?), ref: 0158D98F

Memory Dump Source

Source File: 00000000.00000002.1257455747.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_HALKBANK EKSTRE.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 51a7c0bcdd33fc96be98f70359678006fd93a83e45ebc85670da92f1004cdb51
Instruction ID: c1f1adfe2c929bcb9ddacb3582696ef0a9c3a9bafe7161a79c1bb7bac5f3fee9
Opcode Fuzzy Hash: 51a7c0bcdd33fc96be98f70359678006fd93a83e45ebc85670da92f1004cdb51
Instruction Fuzzy Hash: 9C21E2B6D002489FDB10CFAAD984ADEBBF5FB08310F14841AE958B7350D378A940CF65

Function 0767D080 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0767D100

Memory Dump Source

Source File: 00000000.00000002.1271689458.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7670000_HALKBANK EKSTRE.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b5b8a48956de98a529196fed7ec7d0f399ad1883f07e6504ea29d9d845937ebd
Instruction ID: 2adccca34986e06000cd0fa68e886c18c939112870c0fe1ead9e43fd7ab6f19c
Opcode Fuzzy Hash: b5b8a48956de98a529196fed7ec7d0f399ad1883f07e6504ea29d9d845937ebd
Instruction Fuzzy Hash: AB2128B1D003499FDB10DFAAC881BDEBBF5FF48310F10882AE919A7240C7799940CBA4

Function 0767C908 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 0767C972

Memory Dump Source

Source File: 00000000.00000002.1271689458.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7670000_HALKBANK EKSTRE.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6c3e16c38cc9eef7cc1f13121a51b3beda67f21a6d7ff1ea7a6962f62f7128d5
Instruction ID: 9600c88ac57e1fa89bc4b6569935954c79f5115f6b3981214c2cda4c735d9f98
Opcode Fuzzy Hash: 6c3e16c38cc9eef7cc1f13121a51b3beda67f21a6d7ff1ea7a6962f62f7128d5
Instruction Fuzzy Hash: 22214AB5D002488FDB20CFAAD445BEEFBF4EF48310F24855AD819A7650CB799941CFA5

Function 0767C9C0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0767CA3E

Memory Dump Source

Source File: 00000000.00000002.1271689458.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7670000_HALKBANK EKSTRE.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c27131639b879ddcac24ad83c592f42a1640d0d7dcf9ad64a02ea0f96300f8da
Instruction ID: 4d1d13fd28fa9bda77a6e7d6e613efdb19477c1716275dfa1011937b161fd1c7
Opcode Fuzzy Hash: c27131639b879ddcac24ad83c592f42a1640d0d7dcf9ad64a02ea0f96300f8da
Instruction Fuzzy Hash: 462135B1D003098FDB14CFAAC484BEEBBF4EF48354F14842AD919A7240CB789945CFA4

Function 0767CEC8 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0767CF3E

Memory Dump Source

Source File: 00000000.00000002.1271689458.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7670000_HALKBANK EKSTRE.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6ee104ef2c0b6e679881539d3959b8565ebc309045f72eac380d28a5895b6497
Instruction ID: fab784234ad3d61113809ba1b52d5bf6d1914a1796445cc0eb4cbba835a71f71
Opcode Fuzzy Hash: 6ee104ef2c0b6e679881539d3959b8565ebc309045f72eac380d28a5895b6497
Instruction Fuzzy Hash: 722159718003499FDF20DFAAC844BDEBBF5EF48324F14841AE919A7250CB799954CFA4

Function 0767CED0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0767CF3E

Memory Dump Source

Source File: 00000000.00000002.1271689458.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7670000_HALKBANK EKSTRE.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: af2ab0b248190d5f4886cf34132c8fe1ef3a15a16ff414464990c21e92616e13
Instruction ID: 19825b81d95f448a56383e901c27a6d25d26ceb5c736cdfc0494bba54de47348
Opcode Fuzzy Hash: af2ab0b248190d5f4886cf34132c8fe1ef3a15a16ff414464990c21e92616e13
Instruction Fuzzy Hash: C41167718003489FDB20DFAAC844BDFBBF5EF48310F24881AE919A7250CB799940CFA4

Function 0767C910 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 0767C972

Memory Dump Source

Source File: 00000000.00000002.1271689458.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7670000_HALKBANK EKSTRE.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b0a26b7fe30480df38c3287abb9ef04f87006affbb472b4f2acc9f20553b5467
Instruction ID: a2dce4d627888b5b69b60c39aff1ec9ce4b7eccd27271910fe6e870e186d1698
Opcode Fuzzy Hash: b0a26b7fe30480df38c3287abb9ef04f87006affbb472b4f2acc9f20553b5467
Instruction Fuzzy Hash: 07113AB1D003488FDB24DFAAC444BDEFBF5EF48214F24841AD519A7240CB79A940CFA4

Function 0158B618 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0158B67E

Memory Dump Source

Source File: 00000000.00000002.1257455747.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_HALKBANK EKSTRE.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6a2dbf86e1d5297a0830875f36e95b54662b2f174c585be94497c08743accc8b
Instruction ID: 849074918d75d1a602e4f791259ffeb21e7233c2b04e909103d63a065216ecf8
Opcode Fuzzy Hash: 6a2dbf86e1d5297a0830875f36e95b54662b2f174c585be94497c08743accc8b
Instruction Fuzzy Hash: C811D2B5C002498FDB24DF9AD444ADEFBF8EB48214F10841AD519A7610C379A545CFA5

Function 075D0CC8 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

@, xrefs: 075D0E30

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 22ed3f477aa3367bc891d2321ec4b450d29ceb19ff439bc0c28520b422ef20d3
Instruction ID: 7da5f8c7814f0f75c39abea0f956152c7a7b0dfc675c047cf496d73ab4d48ef7
Opcode Fuzzy Hash: 22ed3f477aa3367bc891d2321ec4b450d29ceb19ff439bc0c28520b422ef20d3
Instruction Fuzzy Hash: D65181B1A002199FDB55DF68C480AEEBBF5FF49210F14846AE909EB351D730DD55CB90

Function 071C9E40 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

7, xrefs: 071C9F3C

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 8cd0f1c320971b1a4b2d8f5f0c7b93d6e122cf178bda4d0aedd365d259022d08
Instruction ID: c1751ecb665b443cdba11a73151f326df11cd1955b97f7f0e3ca7a3f640d1813
Opcode Fuzzy Hash: 8cd0f1c320971b1a4b2d8f5f0c7b93d6e122cf178bda4d0aedd365d259022d08
Instruction Fuzzy Hash: 3F417CB4A00302CFD729DF65C484A6ABBBAFF99320B15C56DE4058B3A5DB31EC46CB51

Function 071C3978 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

U, xrefs: 071C3A6B

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 9b0469837449ea4e178cc26f53127da89e38b6aea0ba1d2f2063d61eaf24d881
Instruction ID: 86da3cd7081fe70e6cea06801b6060974cb6b46f980cf8d6ecbf1a27bbf56e5f
Opcode Fuzzy Hash: 9b0469837449ea4e178cc26f53127da89e38b6aea0ba1d2f2063d61eaf24d881
Instruction Fuzzy Hash: 0841DE30A043458FCB15DF70D899A6EBBB2AF85311B18C569E45A8B2D2CB34DD4ACB91

Function 071C3968 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

U, xrefs: 071C3A6B

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 33bef7c736d6aa9f62e7c1131306af99443b17f20e94b0d6b64a9711a32adb07
Instruction ID: 862d0adc62b1f0b46765acfca5ee88e87f80ce855be403aa4a037f040cb908ef
Opcode Fuzzy Hash: 33bef7c736d6aa9f62e7c1131306af99443b17f20e94b0d6b64a9711a32adb07
Instruction Fuzzy Hash: 2631A270A002068FCB14DF65D489A6EBBF2FF84311B18C659E81A87291CB34D946DB91

Function 075D0CBA Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

@, xrefs: 075D0CFA

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: dc06172c7919e1683701fb8bc4ca8903e70b2f309cd623721a8b821eb3969d5a
Instruction ID: 3f224ff745ac7b0b7b27e763f32da140e2745f025c32272e66c8af955778e1f7
Opcode Fuzzy Hash: dc06172c7919e1683701fb8bc4ca8903e70b2f309cd623721a8b821eb3969d5a
Instruction Fuzzy Hash: 052192B6A012199FCB25CFA8C880EEEBBB5FF49210F04846AE508DB251D730DA55DB91

Function 071E2F33 Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

U, xrefs: 071E2F3D

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: a2d461b858f79349048d543db60dc45a38be7b5c5d10593a62cd9588514b9bfc
Instruction ID: 881302c76b89ebbd238d5676e8179e2de96c869cd588d971d9e47797379e3711
Opcode Fuzzy Hash: a2d461b858f79349048d543db60dc45a38be7b5c5d10593a62cd9588514b9bfc
Instruction Fuzzy Hash: 5D1152346047459FDB25DF29EC40D8B7BF5FF85210B048A29E4498F662EB74ED0A8BD2

Function 075DEFF2 Relevance: 1.3, Strings: 1, Instructions: 12COMMON

Download Yara Rule

Strings

h, xrefs: 075DEFFD

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: 03151d31780844ce2db0d40dd3bf50e1b32d828a5d17caf6bb754dd75cad4c85
Instruction ID: 39cf199e4ec5271dd84aabebc15c5db7248a8da98f9fbf11bc76c61667f47ba6
Opcode Fuzzy Hash: 03151d31780844ce2db0d40dd3bf50e1b32d828a5d17caf6bb754dd75cad4c85
Instruction Fuzzy Hash: 13D0C92004D7D98FCF039B64C8562E43F64BF8722079986EAC1608F9E7C56A591AC752

Function 071CC310 Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecdeff8c0672617320930ea1fccac7ee57019ec7ac904b00e5df4ee38cfe087c
Instruction ID: 83df7001653c283e9a627ae41cb50b674a73a90c8b3a8dd066e7558eb29a1421
Opcode Fuzzy Hash: ecdeff8c0672617320930ea1fccac7ee57019ec7ac904b00e5df4ee38cfe087c
Instruction Fuzzy Hash: E5326EB0B002059FDB15DFA8D498A6EBBB6BF88310B14846DE909DB3A5DB34DC45CB91

Function 075D0040 Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 180df5356252218c749aa40bbad54e740be230f59b48d7d72f8ff24111508651
Instruction ID: b05c697870486dcce7c243aac51223f990645c2e57448bd6920a5f3485bd4f56
Opcode Fuzzy Hash: 180df5356252218c749aa40bbad54e740be230f59b48d7d72f8ff24111508651
Instruction Fuzzy Hash: E932E5B1A043459FDB21CF68D984BAEBBF6FF85310F14859AD4489B292C730EC45CBA1

Function 075D24C0 Relevance: .6, Instructions: 604COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77547e0c699fa6040de4d60ea1e3edef966b0f6e796fca84f49e39a099a77958
Instruction ID: c32b2938c12fc0d1842adb2b47c2c3a160dfc9abb31352f76483bb9f59f18dc7
Opcode Fuzzy Hash: 77547e0c699fa6040de4d60ea1e3edef966b0f6e796fca84f49e39a099a77958
Instruction Fuzzy Hash: FD424BB4A002059FDB25CF68C584AAEBBF2FF48310F558599E405AB3A1DB74ED81CF91

Function 075D9890 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a25c0b1bef7f1242c2459eb71b94855c52e8b1f5ce25926680bd04cb83ef439d
Instruction ID: 9477ce3618c47742da67d16d9e4e8380559810ab3cf0ce081d1b290afc7c7409
Opcode Fuzzy Hash: a25c0b1bef7f1242c2459eb71b94855c52e8b1f5ce25926680bd04cb83ef439d
Instruction Fuzzy Hash: 532206B4E01219DFDB25CFA8D484ADDBBB2FF88214F248159E804AB355C775ED82CB90

Function 071C6028 Relevance: .5, Instructions: 496COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e554c50af324920235ac545cfffd495f50f6d8a6e85f3e5c39f2f196551b19e
Instruction ID: 3729f9d48239d2a4f77e2ab1a5ca2a38b6bc37b999724d2031100456c5d14c61
Opcode Fuzzy Hash: 9e554c50af324920235ac545cfffd495f50f6d8a6e85f3e5c39f2f196551b19e
Instruction Fuzzy Hash: F22217B4A00219CFCB15DFA4C594AADBBB2FF58311F248669E815AB391D735EC42CF50

Function 071CFA00 Relevance: .5, Instructions: 483COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a55079aee8032dc2a31fa68968726cdeb217524dbd8bd20c9601e6829eec30
Instruction ID: f72b99e6e2a00b6177a85be1ed315aa0c5f6e1000ecb654440a61fa0fae1a2e3
Opcode Fuzzy Hash: 89a55079aee8032dc2a31fa68968726cdeb217524dbd8bd20c9601e6829eec30
Instruction Fuzzy Hash: 4C122975A00606CFDB25DF64C584A6AFBF6FF48310B158A68E4469BB91DB34FC46CB80

Function 071E80C0 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54791997e5cb3d0b5bf5ca135a2a07dd6da7dcdaf70b120c7df1880f9d08235b
Instruction ID: 16abcd19d45fa8c5d500bcfa13f83007e56969a64b5d993a464ef900a16b7f84
Opcode Fuzzy Hash: 54791997e5cb3d0b5bf5ca135a2a07dd6da7dcdaf70b120c7df1880f9d08235b
Instruction Fuzzy Hash: 4FF148B4710A018FDB19DF6AC489A6EBBF6FF85210F199469E542CB3B1CB35E801CB11

Function 071C6017 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a7a1766b68bc71043fc22e93b9e01db5066b12caedd6080d4658abca444458
Instruction ID: 8a6e8d7ff975a373a17ea695fd53f04a808fc4fe224a071e206d113755fd4141
Opcode Fuzzy Hash: a7a7a1766b68bc71043fc22e93b9e01db5066b12caedd6080d4658abca444458
Instruction Fuzzy Hash: 8F0249B4A0021ADFCB15DFA4C594AADBBB2FF58301F24856DE8169B391DB35E842CF40

Function 075D3B30 Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89701571d19160687e9040e7c0c143e338f5c682144f87ab68896a41d85a98a7
Instruction ID: 76225714e82c2d33d01599811657608c709d6d6f6e953081f583dfcc10bf0a82
Opcode Fuzzy Hash: 89701571d19160687e9040e7c0c143e338f5c682144f87ab68896a41d85a98a7
Instruction Fuzzy Hash: 7BE14DB4A01209DFDB24CF68D484AEEBBB2FF89310F248559E445AB351C774ED42CB92

Function 075D59F8 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5437a372dd8051b2c6265a532c9d042a413ff6f07cbb36bd66e9ec864e83b789
Instruction ID: 056b82e1994bfa32d323fa677c159edef1a8b2afdce8dfbca06a9d44ec7f192c
Opcode Fuzzy Hash: 5437a372dd8051b2c6265a532c9d042a413ff6f07cbb36bd66e9ec864e83b789
Instruction Fuzzy Hash: A1D17CB1B002169FDB14DFA9D484AAEBBF2BF88200F14846AE505DB355EB34DD45CBA1

Function 071C78E8 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2116be13a3d5a03764073550d5ac1489f4f0b2d53b7097a43d77c3a3e9b974ab
Instruction ID: fb1b0de03fa5b080c27966b4d432997dce139cb7e2799c799e32dacc5f020f23
Opcode Fuzzy Hash: 2116be13a3d5a03764073550d5ac1489f4f0b2d53b7097a43d77c3a3e9b974ab
Instruction Fuzzy Hash: 02C158B0E00209DFDB15DFA8C490AAEB7F6AF98210F1485A9D805AB3D6DB74DD42CB51

Function 071CBD00 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a460f9f5fe88a3490654ccf92dc433205930f9086f8f940adfb2d84a4d78d37
Instruction ID: 5003cc7b1b85fb3c941b4b0b5af5c4faec430f4af3c591624f0c6f728f22ed0b
Opcode Fuzzy Hash: 6a460f9f5fe88a3490654ccf92dc433205930f9086f8f940adfb2d84a4d78d37
Instruction Fuzzy Hash: A9C15EB5A05219DFDB15CFA8D484AAEBBB2FF88314F158159E804EB395C731DD42CB90

Function 075D54D0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e4d96b11b0864ad7118fd1098b79ca655df359961fd54528228375e8d41f9ed
Instruction ID: 58096c8ab2ce11874954351209a61349770fbb9ab79f819124326e42ee707a7e
Opcode Fuzzy Hash: 8e4d96b11b0864ad7118fd1098b79ca655df359961fd54528228375e8d41f9ed
Instruction Fuzzy Hash: EDC13DB5A11219EFDB15CF98D484ADDBBB6FF88310F24815AE804AB351D731ED92CB90

Function 071C8A00 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb8a1539e7149dddda2de2e80a18287093073e85cbbd56abe220454ef4b6699
Instruction ID: ef3468cc407425855714358e88d18052c75c3dcf972d88828fa5f3411a228b3d
Opcode Fuzzy Hash: 6fb8a1539e7149dddda2de2e80a18287093073e85cbbd56abe220454ef4b6699
Instruction Fuzzy Hash: 0CA1DBB07102019BEF09AF6498E4BBE6267EFD5204F604128EA069F7D9DF74DD0B4385

Function 071E70E0 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cecabf08ccbd5bf10e44a816a399edd1ee49980563456d0347c96e793d89d702
Instruction ID: 6240cad4a17ceb1b0749f743973ff9599dc07f12867504a886992bebca12103b
Opcode Fuzzy Hash: cecabf08ccbd5bf10e44a816a399edd1ee49980563456d0347c96e793d89d702
Instruction Fuzzy Hash: AFC109B4E00219DFEB15CF98D884A9DFBB6FF88310F258159E805AB395D770AD42CB81

Function 071E0040 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f30a1ae386ab6253962f846800beafcd9c734bb371f796b49ca6e714f62b03a
Instruction ID: 3011b86fe6723b547ec25e3f4f6a529d21f2e7b61e8584d507b39c8b07f0e52e
Opcode Fuzzy Hash: 4f30a1ae386ab6253962f846800beafcd9c734bb371f796b49ca6e714f62b03a
Instruction Fuzzy Hash: ABB1A0B0724B02CFD7258F35C54462AB7FAAF89210F24492DE446DB7D1DBB4E982CB51

Function 071E3260 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17e826aad3f700cf51f89b36fc77e11dccc937643f766fc128553d6fdd97553d
Instruction ID: a6b138a5605c890a4fc6113d11a56bd9d3a35f2facd2bbaafe2f27e147cfc7d5
Opcode Fuzzy Hash: 17e826aad3f700cf51f89b36fc77e11dccc937643f766fc128553d6fdd97553d
Instruction Fuzzy Hash: DCB1E4B17047419FD316CB24D588E26BBF6EF85310B59C5AAD41ACB7A2CB34EC86CB50

Function 071CB750 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86eacd33431753c77999f557277dd4a9dccc82c3440f0f74502ec3e164facb9
Instruction ID: 5da5649085fbabb058936efff8a7a9ce29e55921e96551192766fe24c0cc21f5
Opcode Fuzzy Hash: d86eacd33431753c77999f557277dd4a9dccc82c3440f0f74502ec3e164facb9
Instruction Fuzzy Hash: E9C13AB4A04219EFDB15CF98D585A9DBBB2FF88310F198159E844EB395C731ED82CB90

Function 071C29F0 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42805aa918deb587ec4509292bd0df551f49bf1b99fa5277bc1730b95631884
Instruction ID: 33b52cb8774b859fa6ea907eeeea1184a463cfb0223df6290c9dcd5a3298f337
Opcode Fuzzy Hash: a42805aa918deb587ec4509292bd0df551f49bf1b99fa5277bc1730b95631884
Instruction Fuzzy Hash: 93B16D75A10219DFDB15CF98D484A9DFBB2FF98320F298159E804AB395C735ED82CB90

Function 071C89F0 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a3396bdf5381d8fddcd3d37c26935fb2313fc7b3ca876335e1882f30ca53931
Instruction ID: 885c0119582216da07cecf798c4c9bcefd6ced07a4ff79784e02c519c84a5104
Opcode Fuzzy Hash: 4a3396bdf5381d8fddcd3d37c26935fb2313fc7b3ca876335e1882f30ca53931
Instruction Fuzzy Hash: 0281D9B0710201ABEF09AF6498E4BBE6167EBE5204F600128EA069F7D9DF74DD0B43C5

Function 075D3698 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea34485b0094e2e92de6ba50fb978d195b9a707da884ff7bd791f40726b8e3df
Instruction ID: 9b5693e4917cd15aca480403cd9213114c1162fa5803927bec98896b689ac7c4
Opcode Fuzzy Hash: ea34485b0094e2e92de6ba50fb978d195b9a707da884ff7bd791f40726b8e3df
Instruction Fuzzy Hash: D7B12AB4A11219EFDB25CF98D484ADDBBB2FF89310F248159E805AB355C731ED82CB91

Function 071C97C0 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0881e66930a54381f21f09f6cb0213c27edd624c4d0cb014eee1435de1dd96
Instruction ID: f981f1de235405a5bb4a33d8fa96f228716eb16e1222bac5ea2b0fadecac7af7
Opcode Fuzzy Hash: 8c0881e66930a54381f21f09f6cb0213c27edd624c4d0cb014eee1435de1dd96
Instruction Fuzzy Hash: AEB117B4E01249DFDB15CFA8D584A9DBBB2AF88314F29C159E844AB395C731ED42CB80

Function 071E7758 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee804447c59016f51f757d454c9e0d7c1c15cee0b583d41d35f02bf374fa7ff2
Instruction ID: dbff305fa7a97bdda88851d9049d35f0a84eeaff5efac1604a88110c10b87c0c
Opcode Fuzzy Hash: ee804447c59016f51f757d454c9e0d7c1c15cee0b583d41d35f02bf374fa7ff2
Instruction Fuzzy Hash: D1A1D6B0A007059FDB19DF24C484A9EBBF6FF89310B148569D4499F392DB70EC46CB91

Function 071C78D7 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 152806982764be935cbad91e2ab690fec1118a57634c4651386cc5e890a1e927
Instruction ID: 69c749eddc317394282fa875012007d89b16ebd5ca36d99af7fa22375dc744af
Opcode Fuzzy Hash: 152806982764be935cbad91e2ab690fec1118a57634c4651386cc5e890a1e927
Instruction Fuzzy Hash: BDA18BB0E00209DFDB15DFA8C480AAEB7F6AF58210F1545A9D805AB3D6DBB4DD41CFA1

Function 075DAAB8 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e644bd60d16150fd4ea9436189455ee631a36917d7eb0441ccbe435d766136ad
Instruction ID: 5729828d38b54ca4bb8be1f27841ddbddd2114d6603a852250b69ce52293ad7c
Opcode Fuzzy Hash: e644bd60d16150fd4ea9436189455ee631a36917d7eb0441ccbe435d766136ad
Instruction Fuzzy Hash: D891C5B5A0060A9FDB25CFA8C580AEEB7F6FF48320F14856AE92597360D730ED51CB50

Function 071C5B20 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e775b9099bfaa466844b96027b1b1e78eeb6f92e986eacc77326160e0273b254
Instruction ID: 9fdeaf45e2445563508c4d90da006864fc39fcf9fec59cbe3dbff8ff08581384
Opcode Fuzzy Hash: e775b9099bfaa466844b96027b1b1e78eeb6f92e986eacc77326160e0273b254
Instruction Fuzzy Hash: 92717C70610705DFCB25DF64D890A6ABBBAFF95310B108A2DE4468B691DB30E906CB91

Function 071E4370 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6509d8ff1eee703a2c9e97673115cc47bcfaf63e561133bb704ab6eb0e0370ea
Instruction ID: 21432c10977cbf9b151aae3cbd9721cf79493a432967bf31a71452c34c7ea035
Opcode Fuzzy Hash: 6509d8ff1eee703a2c9e97673115cc47bcfaf63e561133bb704ab6eb0e0370ea
Instruction Fuzzy Hash: A9819EB4B00746CFDB25CF28D584A6AB7FAFF84210F108529EC06CB691DB74E946CB91

Function 075D4988 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1212b8b9e0194ce163aff01410118a6930e199ef10b45c7a7a522a84357bf4d8
Instruction ID: aed4652780e58280c0ef74a934f4c5f771fd667c3159de17c0e85ee42e9bc68f
Opcode Fuzzy Hash: 1212b8b9e0194ce163aff01410118a6930e199ef10b45c7a7a522a84357bf4d8
Instruction Fuzzy Hash: D1714BB4A002499FDB19DF68D484AAEBBF2FF88310F14C56AE8059B351DB35ED45CB90

Function 071C03F0 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e54eff1c02323eb7de97fa02fd02443d8deb44b2f7b96beeeede5ab452eff1b
Instruction ID: 7bc15871af226cd05ed9551b40639cacacd59205e0b112e27023265b196c8d8c
Opcode Fuzzy Hash: 9e54eff1c02323eb7de97fa02fd02443d8deb44b2f7b96beeeede5ab452eff1b
Instruction Fuzzy Hash: D5615B70B00209DFDB15DB69D858AAEBBB5EF88314F108469E506EB3A1DB35EC45CB90

Function 071C7919 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a870c941211d01da01667ba2f9685ebf30c87a3623756383871e75c012a8f21
Instruction ID: 105d5c8b5a957f1b0d3a7835fdf7d18c88999dacb7f6cb84d037bc3539ec68a7
Opcode Fuzzy Hash: 3a870c941211d01da01667ba2f9685ebf30c87a3623756383871e75c012a8f21
Instruction Fuzzy Hash: C07148B0E00209DFDB15DFA8C490AAEBBF6BF58200F108569D805AB395DB75E946CF61

Function 071C790F Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b938ffe538615875b77fcf3bcdaaf3af33bb021a33704ac1fe3daf91b07eb6
Instruction ID: 3422a8c9eea6822628b8332487cceba53d72a04778261e010ec9a458012df077
Opcode Fuzzy Hash: e9b938ffe538615875b77fcf3bcdaaf3af33bb021a33704ac1fe3daf91b07eb6
Instruction Fuzzy Hash: 7E7148B0E00209DFDB15DFA8C490AAEBBF6FF58200F108569D805AB395DB75E946CF61

Function 071C7937 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f98a81d273b2c856c07f9fc25a153bf4995b4c4a1644ff314227c1c53d81b916
Instruction ID: 32d694b3e29facb3dc7dddec27fb95f1031a89b7a9d26eab7886c2b2e9e01e59
Opcode Fuzzy Hash: f98a81d273b2c856c07f9fc25a153bf4995b4c4a1644ff314227c1c53d81b916
Instruction Fuzzy Hash: 577147B0E00209DFDB15DFA8C490AAEBBF6BF58200F108569D805AB395DB75E946CF61

Function 071C792D Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 534ac823944b1c5cdf50855bc80e09b7ad28b69370361a54412e5fc8f5a125a5
Instruction ID: 4f47a3c3778d43e1aca3f138a6af4f90d2b8c006885c47c731f2cbb255d36e87
Opcode Fuzzy Hash: 534ac823944b1c5cdf50855bc80e09b7ad28b69370361a54412e5fc8f5a125a5
Instruction Fuzzy Hash: 487147B0E00209DFDB15DFA8C490AAEBBF6BF58200F108569D805AB395DB75E946CF61

Function 071C7923 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 056eff3ebf72543c5abfb179ba3ce4042a65eba94219ee5f7ffab56d5264e787
Instruction ID: bf44e469406c99d7fee8059819e76da96c481ced921226d01548b0d8a9163c7e
Opcode Fuzzy Hash: 056eff3ebf72543c5abfb179ba3ce4042a65eba94219ee5f7ffab56d5264e787
Instruction Fuzzy Hash: 617148B0E00209DFDB15DFA8C490AAEBBF6BF58200F108569D805AB395DB75E946CF61

Function 071C7955 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64684cc26c442b8f63088f2d169f74ffcf5235323df63c8363216bc67532383
Instruction ID: b26d8ad21dc367fa9dc3eff091a07530a87cef86bb4fbb133aea5f6cca6814b4
Opcode Fuzzy Hash: d64684cc26c442b8f63088f2d169f74ffcf5235323df63c8363216bc67532383
Instruction Fuzzy Hash: A77147B0E00209DFDB15DFA8C490AAEBBF6BF58200F108569D805AB395DB75E946CF61

Function 071C794B Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda9a0487bac89c8166a1ad494005c8074ab042c4084d8bc4799708ee5444e98
Instruction ID: 6119d61b5a847412af0d62eac4ef40b5c1ba4b59050eafe74458860d83b3d8fa
Opcode Fuzzy Hash: cda9a0487bac89c8166a1ad494005c8074ab042c4084d8bc4799708ee5444e98
Instruction Fuzzy Hash: B57148B0E00209DFDB15DFA8C490AAEBBF6FF58200F108569D805AB395DB75E946CF61

Function 071C7941 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f695d90aba67914a72538b90c4619a99c05ee65eed04c01050f3b3f035a4fefc
Instruction ID: e96ff792020fede9927b7aecbde87e083f27d15992fa8961173f17a018a4f3b6
Opcode Fuzzy Hash: f695d90aba67914a72538b90c4619a99c05ee65eed04c01050f3b3f035a4fefc
Instruction Fuzzy Hash: A97147B0E00209DFDB15DFA8C490AAEBBF6BF58200F108569D805AB395DB75E946CF61

Function 071C7969 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f842b24853fe0aaa786861ddfeca93731f55cea44cae8bd63116ab000a581e
Instruction ID: 35f5e44fbf815260b5e96be0da3d96cf7de7e9953ad9b7c3fa79d4f19911844c
Opcode Fuzzy Hash: 14f842b24853fe0aaa786861ddfeca93731f55cea44cae8bd63116ab000a581e
Instruction Fuzzy Hash: 5D7147B0E00209DFDB15DFA8C490AAEBBF6BF58200F108569D805AB395DB75E946CF61

Function 071EBED0 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9228e9bd9877c095f3ddbe9570f3ac34fe2acfbf816d3df8ecdc71ac86a74756
Instruction ID: 2d10c56d3eed776b79e1d84a653ab4a1ef85173da5a9d9bf8cbbe33039ca633e
Opcode Fuzzy Hash: 9228e9bd9877c095f3ddbe9570f3ac34fe2acfbf816d3df8ecdc71ac86a74756
Instruction Fuzzy Hash: 18614C74A013059FDB19DFA9D944AAEBBF6FF89310F148429E806E7391DB359C42CB50

Function 071E4180 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c8c96ce3ba29bf17670a8d9431ba2fda058ed597142a9678aa43da8706b5ee
Instruction ID: 8efdd40ffeca0028ed6d130559863e4ae8423486295155dac58255e2dfc9c8b4
Opcode Fuzzy Hash: 97c8c96ce3ba29bf17670a8d9431ba2fda058ed597142a9678aa43da8706b5ee
Instruction Fuzzy Hash: A361D5B4E002598FDB54CFA9D480A9EBBF5FF88310F10816AE919EB354E7719951CF50

Function 071EBE99 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43e1e48a7a1322951774ac96f1b2a6b8a090bdb3f72305364d2b8a3ebd4aa20f
Instruction ID: 63bd9fe908e16397343273e97714d6b53c4141d76875bd605f6ff2ed17a626d7
Opcode Fuzzy Hash: 43e1e48a7a1322951774ac96f1b2a6b8a090bdb3f72305364d2b8a3ebd4aa20f
Instruction Fuzzy Hash: A0618B75A01345AFDB15CF68D844AAEBBF6FF89310F14806AE806D7391DB359C46CB90

Function 071E435F Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c0b53dd79c75430cab81177c732a6b7651af24885dcdaf447e9a212c6c5751e
Instruction ID: 0a6964629ead068a404dd597bd6577aaf2bad5fd05b744e19246c19ffe46b1d1
Opcode Fuzzy Hash: 3c0b53dd79c75430cab81177c732a6b7651af24885dcdaf447e9a212c6c5751e
Instruction Fuzzy Hash: 1B5192B4A00746CFDB25CF64D584A6ABBF9FF84310F04852AEC05CB691DB74E946CB91

Function 071E4173 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9ac65be53434982a95621d78f85a1cd5a03b402e83586956f686cabeb8d8b09
Instruction ID: b8c8a02a32613fb0e526c4236900d3d20aa36038525aae90fe3b1ef8f08f6d71
Opcode Fuzzy Hash: c9ac65be53434982a95621d78f85a1cd5a03b402e83586956f686cabeb8d8b09
Instruction Fuzzy Hash: F651F6B4A002598FDB15CFA9D88499EBBF5BF88310F10416AED09EB355E770DD41CBA0

Function 071E6940 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 987c90e423175674eb724c1601806fcb306da1dd7456c94be8e5f8a935a57ff4
Instruction ID: f92883fdcb392f0bffa86cfc49022bb784c27f4a417ae93ab3be2ec5ee6b1b0e
Opcode Fuzzy Hash: 987c90e423175674eb724c1601806fcb306da1dd7456c94be8e5f8a935a57ff4
Instruction Fuzzy Hash: FD4137312097819FC3139B29D450E96BFB9EF82710B59C4EBD0598F2A2C735EC86C7A1

Function 071E6000 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 716bf3526c543401aee02cac4ae8f35612727ecf21e3bb47acf33b1bc555245c
Instruction ID: 5dc32eb65b77bb92e4477d0e75affe5ed6df498598f14a22de7bb5442539fb77
Opcode Fuzzy Hash: 716bf3526c543401aee02cac4ae8f35612727ecf21e3bb47acf33b1bc555245c
Instruction Fuzzy Hash: 8851CE707046049FD729AB29C855B6ABBFBBFD4320F658069E9068B391CF34DC42DB81

Function 071E2FD8 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a595b279374d5fcaffd5e50d29b22f6d44fdb9c552afb15ceab955cd0d9453
Instruction ID: d5eade5801c9c1739ad48f9e3e4a7ea3db67b4033469e5947c926b5f10bcd5a0
Opcode Fuzzy Hash: 72a595b279374d5fcaffd5e50d29b22f6d44fdb9c552afb15ceab955cd0d9453
Instruction Fuzzy Hash: 6C41BFB2714A02BFDB364B35880472BB3EEAF86250F14896DD567C76C0DB34E882C791

Function 071C0240 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25956356a89fe160f64585f1cc13bf2ff61aa8f435f55de27a4cd9dcb64da9c6
Instruction ID: 39e26f28ec7c861d83be824125262132ee7a2fa0a99af074e32139c231349ff9
Opcode Fuzzy Hash: 25956356a89fe160f64585f1cc13bf2ff61aa8f435f55de27a4cd9dcb64da9c6
Instruction Fuzzy Hash: B2517D71A04356DFCB12CFA8C944AAEBBF2FF59220F158559E855DB3A1C730E944CB90

Function 071E7F08 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1cb74c7cb576f168965e411d647d14e681a5157d454a9a8778e4ca654f2462
Instruction ID: 730da8e68c59fca2d78e6d0f52153b0b2e640b0823f36fca27a30ab4cca53da2
Opcode Fuzzy Hash: 0c1cb74c7cb576f168965e411d647d14e681a5157d454a9a8778e4ca654f2462
Instruction Fuzzy Hash: 6E51ADB4A003469FDB15DF28C48499EBBF6FF89310B1586A9D448CB362DB31ED46CB91

Function 071CD3E8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b89cf1747ff1edba039425a6b8d1d83caaf6d4b68e07aef86f47b8b230f968
Instruction ID: e0c0a15916bedc859baad666b793fd543d2308505b230ede07c94468125ff7a2
Opcode Fuzzy Hash: 45b89cf1747ff1edba039425a6b8d1d83caaf6d4b68e07aef86f47b8b230f968
Instruction Fuzzy Hash: BB518E76B00109AFCB41DFA9D844AEEFBF5FB88320F04816AE905DB251D731E955DB90

Function 071EFB20 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b5e15c6eff4afe95c4910d34732e1bb86820ec63ed8cf28d5ce9161d01b23f
Instruction ID: a42dec0db8793cc2297bea49d273bde5c19c68186322fc5a103350449fc0a340
Opcode Fuzzy Hash: 76b5e15c6eff4afe95c4910d34732e1bb86820ec63ed8cf28d5ce9161d01b23f
Instruction Fuzzy Hash: 8941E572B042499FCB02DFA4D8508EFBFBAEF852217148066FD55C3251D731D921DBA1

Function 071E7F18 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c7b669cbfa0d948c913e8987b074ed56223c9b661b65f220b743d4925d73f6
Instruction ID: b87bd484b3ad93f140e2399e2d1b151eef0387d48360b68e2aa322d7feec963f
Opcode Fuzzy Hash: 04c7b669cbfa0d948c913e8987b074ed56223c9b661b65f220b743d4925d73f6
Instruction Fuzzy Hash: F0519DB4A00306DFDB15DF68C48499ABBF6FF88310B1486A9D4099B362DB30ED46CB91

Function 071C21D8 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7af7a038c374950bb1cf2093db26f766cd00a693b85b1bff95204e04cec3b5c9
Instruction ID: da820a5e7eeb4dee59a0ea0f29c1470ab859ca3f21aa1d9fffedcadd0b389f32
Opcode Fuzzy Hash: 7af7a038c374950bb1cf2093db26f766cd00a693b85b1bff95204e04cec3b5c9
Instruction Fuzzy Hash: 6E414BB4314551CFC74DDBA8D25982D7BB2BBA9611782059CE8068B7D1CF38DE43CB81

Function 075D38B9 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f862bd0b0f5b85f888ff4f46f75332c40a35a11fe6729eac4c22262d20b30ad
Instruction ID: a0901bbe38f13ba62c174dcc95e947f41102c12665b2171facbc483907849b11
Opcode Fuzzy Hash: 9f862bd0b0f5b85f888ff4f46f75332c40a35a11fe6729eac4c22262d20b30ad
Instruction Fuzzy Hash: 5F51D874A01209EFDB15CF98D484ADDBBB2FF88314F248559E805AB365CB35ED82CB91

Function 071E87F8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf3d7adeb262bb305968c567c58089f72540d261328f6297a3cdc4b66f87dd3d
Instruction ID: fc682a3323c9e7db3f6b0c3484ade4386d2f53be87ea23a8502304289d88eab8
Opcode Fuzzy Hash: cf3d7adeb262bb305968c567c58089f72540d261328f6297a3cdc4b66f87dd3d
Instruction Fuzzy Hash: 27412875B00A068FCB25DF69D98086ABBBAFFC5310715807AD804CB391DB30EC02C761

Function 071C69F0 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf9460869c589b775ad066d14fd6ac48dcbe60be550835a6a9196e47f4687a7
Instruction ID: 4bc6b72e4c4396c161f52494523f184cbeb84d8f313955e2b76055368e6920a1
Opcode Fuzzy Hash: 5cf9460869c589b775ad066d14fd6ac48dcbe60be550835a6a9196e47f4687a7
Instruction Fuzzy Hash: 4D414CB5A1020AAFDB05CF98D844AAEFBB5FF48314F108229E5159B241D771EE56CBD0

Function 075D2DF0 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726c86d557e22bd2808e51832c93b789ee210faeb517607cb0ee9f015c7bc2a9
Instruction ID: d85dc51e322ccda387e5ae1f49954235615c24496ef832f8a24a935dfcbcd195
Opcode Fuzzy Hash: 726c86d557e22bd2808e51832c93b789ee210faeb517607cb0ee9f015c7bc2a9
Instruction Fuzzy Hash: 694104B13006008FC728CF69D484A6AB7F6FF89211B1549ADE5468B7B2CB71EC42CB50

Function 071E58B0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925f07a16de4c779288e1bc334ee9e5514dbc40ac0b2d823af6160d8478205ae
Instruction ID: f01e89bc2319d8757b08229d2f813700e2b5eb256e39a07b74189d8fb1476cde
Opcode Fuzzy Hash: 925f07a16de4c779288e1bc334ee9e5514dbc40ac0b2d823af6160d8478205ae
Instruction Fuzzy Hash: 39414BB4E016098FCB14CF69C984AAEFBF6BF48324F158159E815A7391D734E951CF50

Function 071CBF17 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae1ab295ab332992f44e176def46c30caf1ce9bcee5016452ed4d91a79825c8
Instruction ID: 2b67eff68fc52a5054e532a2e7e40d9cd180c824168cfdffb1b0caf537fec521
Opcode Fuzzy Hash: fae1ab295ab332992f44e176def46c30caf1ce9bcee5016452ed4d91a79825c8
Instruction Fuzzy Hash: 3051D8B4A00209EFDB15CF98D484A9DBBB2FF88314F248558E405AB365C775ED82CF90

Function 075D56E7 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65b438388827349c1d1da8858c2e7337e2ca4a470282c6125553c840e258b52d
Instruction ID: 9c5c5e68cfcdb6fcd3fb079b9199f30c421ba27f3b29b0889d93db901fd1f251
Opcode Fuzzy Hash: 65b438388827349c1d1da8858c2e7337e2ca4a470282c6125553c840e258b52d
Instruction Fuzzy Hash: F751E774A01209EFDB15CFA8D484ADDBBB2FF88314F248559E405AB365D735AD82CB90

Function 071E8A50 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3d981fcf497f4928dd59e6dfc408a7e3f283d884b595170876c196e35e1e21
Instruction ID: d00dec361cc91b31cd7d62f6cd867552698bf63ad837440cf073ffa5d8824638
Opcode Fuzzy Hash: 6b3d981fcf497f4928dd59e6dfc408a7e3f283d884b595170876c196e35e1e21
Instruction Fuzzy Hash: D741C2B1700A15CFCB15DF69C984A6ABBF9EF89711B1980A9D909CB3A1DB30DC41CB61

Function 071E5877 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8b1afa9f61b0d0d67408e7ea2ff62428f776c9e9a1146587a7d195a737c53f0
Instruction ID: 070bb88da44a93201e50713f8ab158cc89730703e731ab4d12c83c95707d53bc
Opcode Fuzzy Hash: f8b1afa9f61b0d0d67408e7ea2ff62428f776c9e9a1146587a7d195a737c53f0
Instruction Fuzzy Hash: 65415DB4A016098FDB14CF69C884AAEFBFAFF48324F198169E815A7391D734E951CF50

Function 071E9E68 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a735f7d0c6a1abf9a543cde23ee1c083e3b70320e18cf86a3d666705a1a3a3fc
Instruction ID: 25243bb5400f111fb7f31e8168a195100bf6d30df4c5dde8555b0075032a76dd
Opcode Fuzzy Hash: a735f7d0c6a1abf9a543cde23ee1c083e3b70320e18cf86a3d666705a1a3a3fc
Instruction Fuzzy Hash: B8311271B047115FD359DEA9E440A5FB7EAEFC9560724812EE8099B380DF31EC0687E1

Function 071CB965 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ac6eb4051ac0b348dbe7a945730a30a4535e0d24a425c58333bb720cc32ada
Instruction ID: e59322383fc10e359403688bfcf42fd220080dcfffd5771580df637a58572366
Opcode Fuzzy Hash: 37ac6eb4051ac0b348dbe7a945730a30a4535e0d24a425c58333bb720cc32ada
Instruction Fuzzy Hash: 375119B4A05209DFDB15CB98D485A9DFBF2BF88314F288158E444AB3A5C735ED82CF50

Function 075D82B0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e92a129aa4db58a3969845c9af462483a0f69a274f2e39b3d17f2d9e437f688
Instruction ID: 02c59b42f59898c05e891f1d4b124bb9f49eda9c5b448319c347f4989edfa460
Opcode Fuzzy Hash: 3e92a129aa4db58a3969845c9af462483a0f69a274f2e39b3d17f2d9e437f688
Instruction Fuzzy Hash: B441A3B0B0020ACFCB18DB79C9555BE7BB6FF89200B50457AD449DB291EF74EC018B91

Function 071E3840 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f696c0979e5a199b27d95eb6ce2987634bc844724a16b01217c5f687ae0524a
Instruction ID: 937a132ffd3b967bf4b60999a5d25ca2c289664f06b38dfa38818c54dc182435
Opcode Fuzzy Hash: 7f696c0979e5a199b27d95eb6ce2987634bc844724a16b01217c5f687ae0524a
Instruction Fuzzy Hash: E141AFB0A04B06DFC7258A25C945B6BBBF9EF49350F10492DE4AAD72D0C730E882DB60

Function 071C2C01 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f5d46714a30d1246a68b94da3f4cc279b29543f29f7e7011c631021a86c2c2e
Instruction ID: 710d28777f9c1e3877bbdbb97c0d7cb1ec3eb55c781f9081bac3ff4c70a46897
Opcode Fuzzy Hash: 9f5d46714a30d1246a68b94da3f4cc279b29543f29f7e7011c631021a86c2c2e
Instruction Fuzzy Hash: B941D774A00209EFDB15CF98D484AADFBB2FF88314F248159E405AB3A5C775ED82CB90

Function 075DEDF6 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50adbab01edd6c474c9bf0d6886bec2d624a24bb87c4a377ea81c50825879da8
Instruction ID: 53d4582f00bf7abc43b0e95f98bfc1196debca769d78f86b598fb15f5bbc2a56
Opcode Fuzzy Hash: 50adbab01edd6c474c9bf0d6886bec2d624a24bb87c4a377ea81c50825879da8
Instruction Fuzzy Hash: FE31E7716093A18FC7115B78A85A1F9BFB1FF8711170845E7E482CF292CA3A8C4AC7B5

Function 071E7306 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 429920529510159228be20dc43035840edf67c530b69618c76c682a7f18b4591
Instruction ID: 7a52fc8fa46b73288288990c7aa9701e1f480258cf0505fb2119318f6c306825
Opcode Fuzzy Hash: 429920529510159228be20dc43035840edf67c530b69618c76c682a7f18b4591
Instruction Fuzzy Hash: 7F41C374A01219DFEB15CFA8D484A9DFBB6FF88314F248159E405AB3A5C775AD82CB80

Function 071EC141 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4130505b0922ef8f1c5e49288c335282936827782bc3f3ea0d5f5b74e64c1095
Instruction ID: 1598cd6428dac240855524a17e303e026af45052ddad835ab6ffe7fc0f409095
Opcode Fuzzy Hash: 4130505b0922ef8f1c5e49288c335282936827782bc3f3ea0d5f5b74e64c1095
Instruction Fuzzy Hash: C5419EB5604615DFCB09DF28D48896EBFBAFF48321B16C496E415873A2CB34ED05CBA1

Function 071C99CB Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccf880f3059ad1f1b43f32b98d4537dcfcb61a6ff0cc43938fe256b8ac339032
Instruction ID: 2b38f98400e9fa6bba16f82e318f407d19e5bfa600ad1d2629ca142a3e9a8d48
Opcode Fuzzy Hash: ccf880f3059ad1f1b43f32b98d4537dcfcb61a6ff0cc43938fe256b8ac339032
Instruction Fuzzy Hash: 4941C574E01209DFDB15CBA8D584A9DFBB2AF88304F28C599E405AB3A5C775ED42CF80

Function 075D3D3B Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950b7a53299cff896f44711fdc8b7fe018e9dfe456c8e5678d1d4d413840f941
Instruction ID: c884266cef8a45b4860610d8bdcb22d7b221926b9f4f800845576acda013a432
Opcode Fuzzy Hash: 950b7a53299cff896f44711fdc8b7fe018e9dfe456c8e5678d1d4d413840f941
Instruction Fuzzy Hash: 1541DE74E01209EFDB15CBA8D584A9DFBB2BF88304F24C559E404AB365CB35AD82CF91

Function 075D9A9B Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82771fa50b41b2246188b16cb28007c7c8f4c8c6233986a41ccf85748f554e60
Instruction ID: de0056656bbbdc7c9f5dfaec60d7f73899d6f8e025d1cb1cdf6dfccd87fc357e
Opcode Fuzzy Hash: 82771fa50b41b2246188b16cb28007c7c8f4c8c6233986a41ccf85748f554e60
Instruction Fuzzy Hash: 6141C074E01209EFDB15CBA8D584ADDBBB2FF88304F25C159E404AB365CB75AD82CB80

Function 075D59E8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2055e4019e192c7503281b9fa68a8fa1163a86bf3badb76add2c7d59a3f0fb72
Instruction ID: fbe6f298c0cc88a1af16014b13508be52166858539209e68b32a372b29c7e25d
Opcode Fuzzy Hash: 2055e4019e192c7503281b9fa68a8fa1163a86bf3badb76add2c7d59a3f0fb72
Instruction Fuzzy Hash: 783181B1B00215DFDF15DF68C8906AEBBB6BF88300F148469E905EB284EB35DC51CB91

Function 071C4D90 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b63761650678694459e2805e2a12368ee783651b952cf19224c99268d8501e
Instruction ID: 531e30caeac5b59343c01cbbacd088c5c896f1ff499829e5e4b4708c01e2d2e1
Opcode Fuzzy Hash: 86b63761650678694459e2805e2a12368ee783651b952cf19224c99268d8501e
Instruction Fuzzy Hash: 68113A712083918FC326AF74A454A9A7FB5FFD1220715456FD5468F681CB38D906C7D2

Function 075DD6F8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be223623fa3fa3f88272a9e4b863a1e8a5f5e29dd63e9382353b10c694574b38
Instruction ID: 839f7aefc5cc6005c8b57a83e8c7f502009158c75fe4b497221f86b4da778b7a
Opcode Fuzzy Hash: be223623fa3fa3f88272a9e4b863a1e8a5f5e29dd63e9382353b10c694574b38
Instruction Fuzzy Hash: 31410474E00219DFDB15DFA9D844AEEBBB2FF88310F10806AD405A7360DB359D42DB95

Function 071E5048 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 590f4326c9b0e109f15bed24ec3ef780b86258f31ae000e47e93bafa8bd5f8c8
Instruction ID: 52f1b7f016b4cd2b8bdf07d7a1905522d7f99e2ba43e732a7651f76e84955541
Opcode Fuzzy Hash: 590f4326c9b0e109f15bed24ec3ef780b86258f31ae000e47e93bafa8bd5f8c8
Instruction Fuzzy Hash: BF319071A116408FD715DBA8D8846AEBBF7EF88300F05856AD40AEB791DB74AC098B90

Function 075D4548 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 389c9d0bcad5a9b8ab903440f6c693bc61e655d90a45c8f491346b160d7b1974
Instruction ID: df9ab562def371a41bdd67d61c596493344e2678e5658e00d47c598b675a0745
Opcode Fuzzy Hash: 389c9d0bcad5a9b8ab903440f6c693bc61e655d90a45c8f491346b160d7b1974
Instruction Fuzzy Hash: FF21D6717043419FD7308B69E444A9ABBE6FFC5224B14847AE90EC7752CA31EC42C750

Function 075DD708 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59e3257343a8338b1dc249deedc9040f644ab25a0284aa8a8577733c30f1890
Instruction ID: 3e1bed24a75e426b139fae4b1b2b94cbd8cdf80c708b36d933cb18273ff56595
Opcode Fuzzy Hash: c59e3257343a8338b1dc249deedc9040f644ab25a0284aa8a8577733c30f1890
Instruction Fuzzy Hash: B731E274E00219DFDB14DFA9D844AEEBBB6FF88300F10802AE805A7360DB359D42DB95

Function 075DA609 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 089851bf41dc1d4c9f56f3b91afff38ec90441b9053d4dd2a0de6d2857f4303f
Instruction ID: 775aa1ef85a14901d5979a61d3ab5b3850bf43c6257a323384fa18c4a21c0d80
Opcode Fuzzy Hash: 089851bf41dc1d4c9f56f3b91afff38ec90441b9053d4dd2a0de6d2857f4303f
Instruction Fuzzy Hash: 65210676B006118FEB348BA8C4915BE7BE6FBC4211B29846BD142D76A5C634ED40CB62

Function 071E8B90 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc95aeb9788e369d1587ea0f5e1f8b901acba479e798c8b4b204c03fa0544410
Instruction ID: ba96934f4b620f1bbed39377487f9a6a4bea89021a1e27b157780fd1b4206ea1
Opcode Fuzzy Hash: cc95aeb9788e369d1587ea0f5e1f8b901acba479e798c8b4b204c03fa0544410
Instruction Fuzzy Hash: 2A217C717106109FC7149F2DD898A6A7BEAAF8965171580B9E506CB3B1DF31DC81CB60

Function 071E6568 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc470bcae5f1e9f97120546a5ec6887adaa0e55e3e3a81092cb2a686f0efa55e
Instruction ID: 9efcecb9b91ca7b409eceb3b1a21034cd84cea6d0642df6cb22cc4a2cf453c51
Opcode Fuzzy Hash: fc470bcae5f1e9f97120546a5ec6887adaa0e55e3e3a81092cb2a686f0efa55e
Instruction Fuzzy Hash: 3221F5727007119FD7269A29D444B9ABBBAEFD5360F408076E9058F391CB71DC82C791

Function 071CD6E0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 237d5ae0ed2297a4251a77b5e8e66132779cf81202f5d05a76dd4f8686c1ae87
Instruction ID: b14f88d5d43cbc3ed41f6383c9b958e326f11b5e516b41d30fcc6fdbd3b01e0e
Opcode Fuzzy Hash: 237d5ae0ed2297a4251a77b5e8e66132779cf81202f5d05a76dd4f8686c1ae87
Instruction Fuzzy Hash: 8C21ADB4710226AFCB159F64D849AFF7BE6FB88344F004429E84AD77C0DB369C059BA1

Function 075D82A2 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d059715bc03faaefb7a0dd21b5eabca50f72f1cffa00640bcf0f70d4055843b
Instruction ID: e168ebbd0ab1b447fca1c83f3d604896b4133e6df1e8a674e96667360cea57d7
Opcode Fuzzy Hash: 0d059715bc03faaefb7a0dd21b5eabca50f72f1cffa00640bcf0f70d4055843b
Instruction Fuzzy Hash: E421A6B1B0020ADFCB18EF69C9415BEBBB6FF89210B500169C80997395EB34ED01CBD2

Function 075DA618 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78d0e83c20b45def70e8b8e61df81145242d5dd25505f4c5a739bdb80ff1b868
Instruction ID: 161703264ae2051edb5265642ba908770070dbd6e4274c59fed5e67291fcdf40
Opcode Fuzzy Hash: 78d0e83c20b45def70e8b8e61df81145242d5dd25505f4c5a739bdb80ff1b868
Instruction Fuzzy Hash: 29210772B006118FEB349A69C4915BF77E6FBC4210B18C42AD506D73A4C634ED40CB61

Function 075D3190 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b47736647a0499ccd15ae951e5bb7d229935f53d27a6f6f5ed1e2b48e0b9a5
Instruction ID: 2ee32df73cf2ee001a73fb9032f35bff74a4bb586cc7331a8ce8a80c8a30adec
Opcode Fuzzy Hash: 94b47736647a0499ccd15ae951e5bb7d229935f53d27a6f6f5ed1e2b48e0b9a5
Instruction Fuzzy Hash: 01313CB5D002099FDB15DFA8D854AEEBBB9FB88310F10852AE414A7350DB359D02DFA1

Function 0127D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1256434710.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_127d000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa7f5cb5dc29adb2eb2901731718d06ca5d0eacd1a2a90382e7b1d8ad754cc3c
Instruction ID: 7c00b57d75a992d66f24daca9b038edccd4a951a97ccccb9d26103d670347d3b
Opcode Fuzzy Hash: fa7f5cb5dc29adb2eb2901731718d06ca5d0eacd1a2a90382e7b1d8ad754cc3c
Instruction Fuzzy Hash: 8321F171510248DFDB15DF94E9C0B27BF65FF88318F248569E9090B256C336D456CAA2

Function 0127D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1256434710.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_127d000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ff03c75ca7d9d81669dd95b19dd78c275b931cfb84f1af4f812ddd8d88304e
Instruction ID: e38e821b930fcb744c3224aad4daa082d9d626fa88e51bc465dd50460797ec25
Opcode Fuzzy Hash: e0ff03c75ca7d9d81669dd95b19dd78c275b931cfb84f1af4f812ddd8d88304e
Instruction Fuzzy Hash: 42210376510208DFDB15DF94D9C0F57BB65FF88324F20C569E90A0B256C33AE456CAA2

Function 071E8A40 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58ce7dc024a802477fac3901e86c19a86bc631d0c8ae570e9f33f4ed6c986c9
Instruction ID: d3c66bb96e9b472acfd879bc727757ca64bb2ed85ca9a6018babbf5cf65e4c80
Opcode Fuzzy Hash: e58ce7dc024a802477fac3901e86c19a86bc631d0c8ae570e9f33f4ed6c986c9
Instruction Fuzzy Hash: 1121A4B1A00A15CFCB16DF59C984A6ABBF8FF85B11F1594A9D405DB3A1D730DC40CB61

Function 0128D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1256480246.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_128d000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7961689f3de448250d88207eb222a48be69381bcf17edb54f7e31294d87f4c3d
Instruction ID: f2b7b5a4b63772277c69647cdaf816d902a88ff04babad7c50a21981f89a901d
Opcode Fuzzy Hash: 7961689f3de448250d88207eb222a48be69381bcf17edb54f7e31294d87f4c3d
Instruction Fuzzy Hash: 61212271614308DFDB15EFA4D9C0B16BB61EB84314F20C56DD90A4B2D2C37AD44BCA62

Function 0128D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1256480246.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_128d000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5deb6d1368bb1eaeae3a349b72c53032dfa399d96a3c0e959e90fc8387f64f7b
Instruction ID: 7b64cb8b0562863fb991f08f21fb536200215ae41c46e5a00029cf098eb90fda
Opcode Fuzzy Hash: 5deb6d1368bb1eaeae3a349b72c53032dfa399d96a3c0e959e90fc8387f64f7b
Instruction Fuzzy Hash: D02103715242089FDB15EF94D5C0F15BB61FB84324F20C56DD9094B2DBC376D84ACA61

Function 071E45E0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf42a2c5065b28f1d4e8eef94578d7916c4885073a67ffe4222d970aabcd8e5e
Instruction ID: a0722080dab160000c6dbbf418da7e8748bd5826a9ebb63a9edf820b6c2e0b7d
Opcode Fuzzy Hash: cf42a2c5065b28f1d4e8eef94578d7916c4885073a67ffe4222d970aabcd8e5e
Instruction Fuzzy Hash: CD1104F37086964FE715CA69E8416AAF7E9EBC8234F048137E904C7280D7359811C790

Function 071CF9F1 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343f62de0ac358a99f49bbbb1215533b1626ed8814dcfd7f71ce3f7694854994
Instruction ID: 1949dbc8fbca6eb1691474534e4010b6c94cf9ded968f4b41a12db28699be2f2
Opcode Fuzzy Hash: 343f62de0ac358a99f49bbbb1215533b1626ed8814dcfd7f71ce3f7694854994
Instruction Fuzzy Hash: 7F217F726106049FC725CF69C484A6ABBE6EF88710B06C569E44ADB6A1CB34EC49CB50

Function 071E0678 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18353167ebcb43898cb6c639c4aa5d79f7a9077adb6ced9d8a61cea0dd00329c
Instruction ID: 72e5dd5a5e6e64f95ba64fdbd7c07305942d9c2262337d0aceae6d9318569cde
Opcode Fuzzy Hash: 18353167ebcb43898cb6c639c4aa5d79f7a9077adb6ced9d8a61cea0dd00329c
Instruction Fuzzy Hash: 2B11E3757103169BD7156A3AB44926EB7AEEFC4332364417AE049C76C0CFB6DC82CB90

Function 075D0006 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7498033a4124dfc076be9756a9ad2f57d8433968170171b3f541e6bd16ac73d
Instruction ID: 941912c5fce4f6405af3f98ab1a227be190c4d4b3639ce4f11d542574434a9e0
Opcode Fuzzy Hash: b7498033a4124dfc076be9756a9ad2f57d8433968170171b3f541e6bd16ac73d
Instruction Fuzzy Hash: 9A214F715493809FC322CB28D854992BFF5EF47225F4A85D7E4898B6A3C324AC49CBA1

Function 071EC1AB Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7f7af3b17e7839c6b76aa8d588732144cd90c127cbc9d9be916368f4cd0627
Instruction ID: b7d7f158a4bdd24cfabac8fb93e6ca09f265f6f1d591ad5108d0e1e7c1fedc3b
Opcode Fuzzy Hash: ac7f7af3b17e7839c6b76aa8d588732144cd90c127cbc9d9be916368f4cd0627
Instruction Fuzzy Hash: 32217AB96042149FCB09DF54D58986DBFB6FF48322715C495F81597362CB34EE01CBA1

Function 075D3A40 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6dc6cbe38db378f4e9e259e7e32c8568b59ec72e7db4b3b1594502ef1238bad
Instruction ID: a7e30aef9ed448673cfbc980c715fec5c88697925911da32938bab0f91ab483f
Opcode Fuzzy Hash: e6dc6cbe38db378f4e9e259e7e32c8568b59ec72e7db4b3b1594502ef1238bad
Instruction Fuzzy Hash: 932148B5E002099FDB15DFA8D890AEEBBF5FB88310F10812AD814A7390DB319D05DFA1

Function 071E293B Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe292f100cdb6dea504e45fe0ec3597fa3e159862973f6f4e8b4443d06e0837
Instruction ID: b8787f791d9aa21bcd3c0cd93fccef6322801961785a2d32b83702176c997bf2
Opcode Fuzzy Hash: 2fe292f100cdb6dea504e45fe0ec3597fa3e159862973f6f4e8b4443d06e0837
Instruction Fuzzy Hash: 20219F71A042499FDF15CFA0C895A9EBFB9FF49320F04805AF901AF286C730D845CB80

Function 071C1D77 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a13efec0710b0477bbc0af1758e4e62511bb849181eea0b20311cae8a4f0c049
Instruction ID: 40571bf642d9b6c4e021852980d570e26b2ea56231e7ce0a7ce8d2c8d6ec3739
Opcode Fuzzy Hash: a13efec0710b0477bbc0af1758e4e62511bb849181eea0b20311cae8a4f0c049
Instruction Fuzzy Hash: 932118FC568149EFC74D9BF0A21A0A93B71AB626017A10459E843F71C3CF358D57A712

Function 071C0D70 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79fa9d506fedde500484651eddf37dbc06a1f73a0b08850bb1916a74cd399fcf
Instruction ID: 412a45f5e3e8e1a28c9fde483b29800cec75362b840887ddacb699dc5e901547
Opcode Fuzzy Hash: 79fa9d506fedde500484651eddf37dbc06a1f73a0b08850bb1916a74cd399fcf
Instruction Fuzzy Hash: 35218EB5A0021ADFCB15CFA4C98496ABBF2FF8C310B108158D808AB765D730ED51CB91

Function 071E07C8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8ca19ebaff684d3b0f328b46239489ada0d1f635c1be59e0e1e00bdf5258f7
Instruction ID: 88f21e2dbaf4c87d4ed9a386a20c6fb5427b15e3171a718784577bbb3ae987ca
Opcode Fuzzy Hash: af8ca19ebaff684d3b0f328b46239489ada0d1f635c1be59e0e1e00bdf5258f7
Instruction Fuzzy Hash: 4211D6B1B047419FD7368F66E481E12BBBAEF85324B24857ED54A8B292C771EC81C750

Function 071C14A8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9734e104ad217972bad1fe6464c2d2b254ad445857c415ec7ac83361f8e88a08
Instruction ID: b7db44ba4be60ecabb77266335fe784bc57b7f7794814f12c053e246b58c05a8
Opcode Fuzzy Hash: 9734e104ad217972bad1fe6464c2d2b254ad445857c415ec7ac83361f8e88a08
Instruction Fuzzy Hash: 1C1103F074D38A9FCB0697B8942012A3BF59F53510B5500ABD446CB2C3EF24D805D792

Function 075DF0B6 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec0027aaac37bb932047fbb369807518c02130b7cee2c79faed3d35c14f84964
Instruction ID: 86b0af81f526570d6cfe92b9af605a0d7c7bd3622eb5951e1a04ffd6ef04203e
Opcode Fuzzy Hash: ec0027aaac37bb932047fbb369807518c02130b7cee2c79faed3d35c14f84964
Instruction Fuzzy Hash: 432189B1909616CBDB208BACC8012FEB7B0FF02309F088927D4B7862C1C378DA54C656

Function 075D7DB0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5d40571260b5e2490ac0b6ba1d4b351be6aa3da2e9e6b84ae98f97408b0fec
Instruction ID: a55fea2376e1c6291b9d91c3b9d0c15b978928fb64f5670a2e36ab8b50eefec3
Opcode Fuzzy Hash: 5c5d40571260b5e2490ac0b6ba1d4b351be6aa3da2e9e6b84ae98f97408b0fec
Instruction Fuzzy Hash: EC11DF35B002089FDB08EB78E8505FEB7B2FF88211B14852AD845DB390DB309D068B91

Function 071E7E58 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87ded6989a10ed496a35ffa0e896cecea27fec92def3719325de57865c0c509a
Instruction ID: d93fb0799398e820983403c5e84ca75ec084c969ac3697899157c7a4f410d17d
Opcode Fuzzy Hash: 87ded6989a10ed496a35ffa0e896cecea27fec92def3719325de57865c0c509a
Instruction Fuzzy Hash: E32192346042959FC705CF38C844D9ABBB5EF89224B15809AE849CF2A3DB31ED46CB91

Function 071E8590 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b98f736851a7540a0cb6c285ae95ce6ea0e355b60b37e40cb34ad62c548bb11e
Instruction ID: abc937fc07afb7028647403307cfbb1da0c2f96c1f4c98f81d51335e5f8d4658
Opcode Fuzzy Hash: b98f736851a7540a0cb6c285ae95ce6ea0e355b60b37e40cb34ad62c548bb11e
Instruction Fuzzy Hash: 7D11C872B017205FE725D66C9C40B6BB3EADBC8660F154539EA05DB394DE70DC0287E0

Function 071C1BE0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8782f681a36bb1c70d5c12fb6f810f56bf8fc0943cbde75bc13869a84191947
Instruction ID: e84ebaed0325a8d931b10fd3bb6bc3c23bdf3e3f989732bfb7f879bc1e68918c
Opcode Fuzzy Hash: a8782f681a36bb1c70d5c12fb6f810f56bf8fc0943cbde75bc13869a84191947
Instruction Fuzzy Hash: 971123F1754216BBC726D6A5848097EF7A6AFD5200711823EE4049F2D2DB30DC1A97C6

Function 071E7748 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f259e7ac9d5de59e6db006ec6040fb1ac85c4644329087231eb729aac1f9f08
Instruction ID: 73e593b19bd7937b95f74622af991830ea58acb5e45ff287dfaab41d5b4927fc
Opcode Fuzzy Hash: 8f259e7ac9d5de59e6db006ec6040fb1ac85c4644329087231eb729aac1f9f08
Instruction Fuzzy Hash: EB112671A053849FD726CF24C840E5EBBBEFF85220B1484AAD0458B392CB71EC4AC791

Function 071C1BF0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9850cb030fb4ba780e8a33193b2c01cd3d0bec3a2a05446900986ac2b22e06b
Instruction ID: b54008466a2291a2a2a8ad8ed6d11471486acbaa106801d6f9bc3e5e34c627a3
Opcode Fuzzy Hash: f9850cb030fb4ba780e8a33193b2c01cd3d0bec3a2a05446900986ac2b22e06b
Instruction Fuzzy Hash: 1C11E3F1B502197BCB29D6A9858097AA2DBBFD4200711863DE5099F7C6DF70DC0353C6

Function 071E0880 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e457467a39b1171d056a58f2cdb51a3d2088a7ff7c60b3780e19323cb94b9530
Instruction ID: fda42ce379bd866f8cb7cc5a79f582ae1bde755f413eb58cd59579702e0dc488
Opcode Fuzzy Hash: e457467a39b1171d056a58f2cdb51a3d2088a7ff7c60b3780e19323cb94b9530
Instruction Fuzzy Hash: 6901D6F1B186068BF728093A984176B65DEDBC8210F25803FE50AC73C1DFA4CD4292A1

Function 075DF12C Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9583e0c432f380c3b2342433b14863905699538ef97a1be8698df801790e2a
Instruction ID: af9fbfeb3ec85b3835daab0e62636e5debf635f2eb22e7c67af741b6e9fb8512
Opcode Fuzzy Hash: ae9583e0c432f380c3b2342433b14863905699538ef97a1be8698df801790e2a
Instruction Fuzzy Hash: 82216AB1814516C6DB308BADD9412FEB3B0FF41709F048927E8B7962C0D378DE94C686

Function 071C1D88 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 262c9b777f556da600c90563ce0681341afa274924faf3bb992d38e92a1b7142
Instruction ID: c45a6bc8bc86f7e3e7a599d0229156eb47ce59f04d1bc370cfb4e8fc240043ed
Opcode Fuzzy Hash: 262c9b777f556da600c90563ce0681341afa274924faf3bb992d38e92a1b7142
Instruction Fuzzy Hash: 781127FC564149EFCB4D9FF4A21E4A93B71AB61602BA10468E803F31C3CF348D53A612

Function 0127D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1256434710.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_127d000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f425b5cd1c464f0a4a5253a28fe3054bde847c9d27b32d63737858cb099eba0
Instruction ID: c70e5c4f85cf64e4a95e3d011e1d0fa51478aeb9b18871c2f61735a2d179f4ee
Opcode Fuzzy Hash: 5f425b5cd1c464f0a4a5253a28fe3054bde847c9d27b32d63737858cb099eba0
Instruction Fuzzy Hash: CF11AF76504284CFCB16CF54E5C4B16BF71FF84328F24C6A9D9490B656C336D45ACBA1

Function 0127D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1256434710.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_127d000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f425b5cd1c464f0a4a5253a28fe3054bde847c9d27b32d63737858cb099eba0
Instruction ID: 969fac75433a8b7c7bd4827c140cbde0fdc93e51bebb072a724ed6e0b7cad048
Opcode Fuzzy Hash: 5f425b5cd1c464f0a4a5253a28fe3054bde847c9d27b32d63737858cb099eba0
Instruction Fuzzy Hash: 9F11CD76404284DFCB12CF44D5C0B56BF71FB84324F2486A9D9090B656C33AE456CBA1

Function 075D0702 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab18a2e3cfd20627c802164d93008513982d687e81f294238d7de052300badd
Instruction ID: 62eb54fd07a32dd5c1921bc29d5205f81de80d86e84a357dc0e00400601b2d97
Opcode Fuzzy Hash: 0ab18a2e3cfd20627c802164d93008513982d687e81f294238d7de052300badd
Instruction Fuzzy Hash: 89119AB4A00206CFCB60CB29C644BAABBE5FF40360F44846AD41C8B691E778ED41CF90

Function 071C0E43 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c60f696f1bba25318fafc82e65c789a8b0e17c606d018cd1c6179ac16b689fbd
Instruction ID: 276910e58d05b26d1091bd405db2b3ee95225008dadde423cd41b6158b627cc0
Opcode Fuzzy Hash: c60f696f1bba25318fafc82e65c789a8b0e17c606d018cd1c6179ac16b689fbd
Instruction Fuzzy Hash: 63118EB1604615EFD729DF28E444A9ABBF5FF88320B008569E809CB751DB31ED46DB90

Function 0128D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1256480246.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_128d000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
Instruction ID: 0ac8955bf07e3d10f7cebb10d8da84761ccde55a28f06a904953702b8855c97d
Opcode Fuzzy Hash: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
Instruction Fuzzy Hash: 7911BB75504284CFDB12DF54D5C4B15BFA2FB84314F24C6AAD9494B696C33AD40BCBA2

Function 0128D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1256480246.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_128d000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
Instruction ID: e3012e8e6103b07c0d4100b9036a6f7872cb00f4fda3578178765f6d5c9dd95b
Opcode Fuzzy Hash: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
Instruction Fuzzy Hash: 9A11EB75504284CFDB02DF54C5C0B15BFA1FB84324F24C6AAD9494B69BC33AD40ACB61

Function 071C0E48 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fcb5e92f0d24f9987c844e5f134730b5dfe1f6003af4b0deb383fc0df67d86e
Instruction ID: b30992c96316f11472500a8d6d6454459272040a58798cde19a77cbcd2166796
Opcode Fuzzy Hash: 5fcb5e92f0d24f9987c844e5f134730b5dfe1f6003af4b0deb383fc0df67d86e
Instruction Fuzzy Hash: F411CEB1604315EFDB25DF28D444A9ABBF6FF88220B008569E409CB750CB31ED06CB90

Function 075D3180 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 262344cdcaf8263b7da0f5473a28c9ac7ced84fab7a0c8bed6abf83d996b8e62
Instruction ID: 9df47251d8221f2533894aad472ede62dcb9614c0964e87388c6b19a626f67d0
Opcode Fuzzy Hash: 262344cdcaf8263b7da0f5473a28c9ac7ced84fab7a0c8bed6abf83d996b8e62
Instruction Fuzzy Hash: B0115EBAD00209EFDB15DBA8D814BEDB7B9FB88311F00856AE814A3394C7359C16CF60

Function 075DC24A Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6297db32e78902eb684c590ca10ce1fe777f812fc9c26045be68f094cf02d2e3
Instruction ID: f203872b68e9f304301f0b8430ba894c381ba632e1472654510a0a027e8b2840
Opcode Fuzzy Hash: 6297db32e78902eb684c590ca10ce1fe777f812fc9c26045be68f094cf02d2e3
Instruction Fuzzy Hash: 65117CB1E0050A8FDB14EFA8E9526FEBBB0FF49210F10452AC511FB255EB758946CB91

Function 071E7E78 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b701464e345ec1cb9ed6f3cd36a3864a51f7ddaa08e0e8ce45b3aa8fe74c2c9
Instruction ID: 4cc6013bccbb3c95649fc9eafd831c3bc7bd754677ab5d0a81f2b3074295a1d2
Opcode Fuzzy Hash: 9b701464e345ec1cb9ed6f3cd36a3864a51f7ddaa08e0e8ce45b3aa8fe74c2c9
Instruction Fuzzy Hash: 89115E356102459FCB04DF68C884D9EBBB6FF89324B148569E8098B362DB71ED47CB91

Function 071E8581 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8900ebf2b39e5f590255df319233bd241d394d711fc88be384503dcdd0793d0b
Instruction ID: fecbd0a445761fcb310541865f3f60ad1045530c5226cc9d0bf4c25695bb646e
Opcode Fuzzy Hash: 8900ebf2b39e5f590255df319233bd241d394d711fc88be384503dcdd0793d0b
Instruction Fuzzy Hash: 0B01D8B57017514FD712DB38D880A2ABBF99F89650715416BE945CB362DB30DC05C790

Function 071CCC90 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 819116a611d0828159e2917a543a1a05fcb039fb43a0b164248179c953a3ba06
Instruction ID: 18392c06d07e31a81b025b3dfd26d82457f7ff0d84fa8a3d1b6d2cd2fc6a4bb1
Opcode Fuzzy Hash: 819116a611d0828159e2917a543a1a05fcb039fb43a0b164248179c953a3ba06
Instruction Fuzzy Hash: D901B1B07003418BCB29CEAAD490837BBB6AFD9265710847DD80A4B795CE71DC43CBA1

Function 075D18B8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0e376482d098376abe6c6ddcf842613abb99d4b35ef3577d7627df6d09eb83
Instruction ID: 22e7ace6fe0e6a0a35f70d0a297bbe7c189c2efe5a0612fd139f57765dd89e5d
Opcode Fuzzy Hash: 9a0e376482d098376abe6c6ddcf842613abb99d4b35ef3577d7627df6d09eb83
Instruction Fuzzy Hash: 25018075B1021A9FCF14DFA5E8448AFBFF6FB88211B108569E905D7250DB309E42CBD1

Function 075D39E8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cc01078856f740b26a1eb54ac46f0f30bfc1f3b0dbff86d65acecc129e0fd0d
Instruction ID: 68b9cf03bf681f0ecb6724f09b18d8041803fb03f072257a0a7086ecce87018b
Opcode Fuzzy Hash: 8cc01078856f740b26a1eb54ac46f0f30bfc1f3b0dbff86d65acecc129e0fd0d
Instruction Fuzzy Hash: AA11C675A00209EFDB15CF98D884EDDBBB2BF88214F288559E405AB365C775ED82CB81

Function 075D18A8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc09067a4fc1d1718ad72516aa741c23edb22d034f1898d81fa3551682eb4a0
Instruction ID: 43484e2536ed716a90d0644fe3127e8bba629b1220ab1948d98397cff7f72be4
Opcode Fuzzy Hash: 7fc09067a4fc1d1718ad72516aa741c23edb22d034f1898d81fa3551682eb4a0
Instruction Fuzzy Hash: CB01D676A1011A9FCF14DFB8D9045AEBFF6FF88205B104525E505D3250DB319E168BD0

Function 071E73E4 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488d7b225dd168c929d85e93499b25ae83ede9f64271742e9ed02227ef954aff
Instruction ID: cedfc9a76b03f2fc64e29fc5b7632e96c77eef2d8a2ef32d953cfb461e1328ec
Opcode Fuzzy Hash: 488d7b225dd168c929d85e93499b25ae83ede9f64271742e9ed02227ef954aff
Instruction Fuzzy Hash: BB112E74E01209EFDB45CF98D484E9DFBB6BF88314F248158E405AB3A1C775AC82CB40

Function 071CCC82 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d6912131600693282863e538c5c51104d326bb6bbcc5fca8e26535cd5eaf30
Instruction ID: 9698418b1c376a7416376c856d72baeaa5110ef58ec40da0f793a044d1121497
Opcode Fuzzy Hash: 81d6912131600693282863e538c5c51104d326bb6bbcc5fca8e26535cd5eaf30
Instruction Fuzzy Hash: F501DEB0604341CFCB29CFAAD490827BBB6EF99225710457DD8494B685CB31D842CBA1

Function 071CBA62 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23f2220fab2f325ca562d342c7c18ee06faa431ffb89968c275d9b27a3f64844
Instruction ID: 0146d64def9c8ac10a6418245ac05e66b6eebe2bc3824d6d33ae2c7e2acd7261
Opcode Fuzzy Hash: 23f2220fab2f325ca562d342c7c18ee06faa431ffb89968c275d9b27a3f64844
Instruction Fuzzy Hash: 81112EB4904209EFDB15CF94D485E9DBBF2AF88214F288148E444AB3A1C775ED82CF40

Function 071CC024 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cee55c3d13e5a4adf92e6534737f7faec1a94af5daa6c7b2092d6f7d40219cc
Instruction ID: f3465e4b180ca250f3ca432cc3e6434c813e83bcbed0cda5582a0d668cde74b1
Opcode Fuzzy Hash: 9cee55c3d13e5a4adf92e6534737f7faec1a94af5daa6c7b2092d6f7d40219cc
Instruction Fuzzy Hash: 9F11EC74911209EFDB15CF94D484E9DBBB6BF48314F298158E404AB3A5C775ED82CF90

Function 075D57F4 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7efc75bea4bf76a75e61eb2ef958b8eb638c9e7494c07d8c0b08a2e76f379669
Instruction ID: 70f193c87aa5f391dc74c72db0193c19d41093c9e9f17213fef644fdd335ff38
Opcode Fuzzy Hash: 7efc75bea4bf76a75e61eb2ef958b8eb638c9e7494c07d8c0b08a2e76f379669
Instruction Fuzzy Hash: 4711DA74A00209EFDB15CF98D884EDDBBB2BF48214F688555E404AB365D775AD82CB40

Function 071E5780 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a3c5c1adec194c590395384941082b8237106429e2c2f1b0832f6692c5ac38
Instruction ID: 59e964c9c5c4fb9f10196cf63314021eaebfd3d12287b16844bcba051deb3c96
Opcode Fuzzy Hash: 61a3c5c1adec194c590395384941082b8237106429e2c2f1b0832f6692c5ac38
Instruction Fuzzy Hash: D101D66690E3C24FDB134B71B861288BF75AF4352572E45EBC080CF193E729852EC765

Function 071C2CFC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef277c7f436f12f9b86c86dd1996d1aa0e187ef0857c11ef6bb11e7e7877ded
Instruction ID: a905c8f6d62aa161775cbd53e3d59ac3ccf8a65c3c84eb8d402481586d0633cb
Opcode Fuzzy Hash: aef277c7f436f12f9b86c86dd1996d1aa0e187ef0857c11ef6bb11e7e7877ded
Instruction Fuzzy Hash: 9C11FB75A10209EFDB15CF94D484E9DFBB2BF89214F288158E404AB3A5C775ED82CB80

Function 071CBA67 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c184b1aa81e5c1c57f906c0dbb591c3ba966a37c5c56ff061dc9b63e3c9e4707
Instruction ID: ff0b62e2d97d84a3dfc9bb123c01c5896ab5b9fb05b9fea49f384866775dc8bf
Opcode Fuzzy Hash: c184b1aa81e5c1c57f906c0dbb591c3ba966a37c5c56ff061dc9b63e3c9e4707
Instruction Fuzzy Hash: 161142B4905209EFDB15CFA4D481E9DBBB2AF88214F288149E444AB361C775ED42CF50

Function 071C9AA4 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 874f2e52951a26adbc408097ac28b34c232f3952bde27b86f3936e59fa832bcc
Instruction ID: 30354a062cf042092e84ff32c765e177875cd23bf34ae8c760cb36c82b3f23b7
Opcode Fuzzy Hash: 874f2e52951a26adbc408097ac28b34c232f3952bde27b86f3936e59fa832bcc
Instruction Fuzzy Hash: B811B674E01209EFDB05CBA8D584A9DBBF2AF88314F29C159E445AB3A5C775ED42CF80

Function 075D43B8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b57ca33f1c7a1ed2fcef959f3628e283a103270823e6aba696eb5b9cff5ccfb
Instruction ID: c6a8223372c127e9ef8eae740f123350de4a64d18257b7fb3f3b4e07bf5a1545
Opcode Fuzzy Hash: 9b57ca33f1c7a1ed2fcef959f3628e283a103270823e6aba696eb5b9cff5ccfb
Instruction Fuzzy Hash: 35F0AF72304219AB5B14DA5DEC40DBFB7EEFBC8660314812AE918C3240DF71EC0597A1

Function 075D3E14 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45d4c8eab9b562689bdd3ce6f7a33af6d9b2a84eb3b8903ef5e0fca0c7c74e3
Instruction ID: a170f871769f2ece92b9b2b93ab9c67e62f7fc386b06be42a9af03f6a86904bb
Opcode Fuzzy Hash: a45d4c8eab9b562689bdd3ce6f7a33af6d9b2a84eb3b8903ef5e0fca0c7c74e3
Instruction Fuzzy Hash: 201102B4A01209EFDB55CBA8D484A9DFBB2AF88304F24C159E404AB361C771AD82CF81

Function 075D7D48 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a72f32ab489b61a50b395693dba3980904f274cd31703181ffd552eb50e95f8f
Instruction ID: 6e775eafa4ce904d1e2a0e87de0bdac8c1f54619990cb066b77135a684f35622
Opcode Fuzzy Hash: a72f32ab489b61a50b395693dba3980904f274cd31703181ffd552eb50e95f8f
Instruction Fuzzy Hash: 5AF0AFB23042196B5B14EA5AEC40DBFB7EEFBC8220314852AE918C7340EB71EC0187A1

Function 075D2DE0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ce2e4ed9d6f97d6c6315a7797ddec00a0af6063952bcc77df2e481652dfdf18
Instruction ID: 1ddb40cee2f347893deae6e2d35464f1297e095869ea479fcd938a5ace576132
Opcode Fuzzy Hash: 9ce2e4ed9d6f97d6c6315a7797ddec00a0af6063952bcc77df2e481652dfdf18
Instruction Fuzzy Hash: 36014F712086509FC724CF6DE880D66B7F9FF492207150A9EE18AC7772C721EC458F51

Function 075D9B74 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ee9e18c73a79a7e2adc8d14a1c8122d223fa1bb6c1f2a411ec5f7488b4e751
Instruction ID: de09671e1d07a1be4d47e1f41ccafed72741a603907dd1f1043c5a60f5b053b6
Opcode Fuzzy Hash: 99ee9e18c73a79a7e2adc8d14a1c8122d223fa1bb6c1f2a411ec5f7488b4e751
Instruction Fuzzy Hash: 1911D474E05209EFEB15CBA8D484ADDBBB2FF88314F25C159E404AB365C775AD42CB80

Function 071E2F40 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1831a82b8f81490a665b8a0dd4790c7c772b9d6377884bed7ac61ade52dbc16d
Instruction ID: 3a08fe7cdd2a48e47914f0fe67b637c7bb50430b4def3ce72058604e6081d7d4
Opcode Fuzzy Hash: 1831a82b8f81490a665b8a0dd4790c7c772b9d6377884bed7ac61ade52dbc16d
Instruction Fuzzy Hash: 4E01E1356007099FDB25DF29E940D8BB7F9FF852107008A29E44A8BA65EB74FD068BD1

Function 071C0E3B Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9109078615ab7b8dca884cf29b5ee2839b81470ea067669606c1f40142cd501
Instruction ID: 512622bd1eb3da0eda22aed45288548521f27f53052e643956a50137ffd4d75e
Opcode Fuzzy Hash: a9109078615ab7b8dca884cf29b5ee2839b81470ea067669606c1f40142cd501
Instruction Fuzzy Hash: 390124B0604315DFCB26CF20E440AAEBBB1FF88310B00856AE406CB790CB35DD06DB90

Function 071C0E39 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9927664a67bfd6dfafcd82d517650247cf1ddbb032a11e45c0552c16a118df61
Instruction ID: ac4bcbb409d2f8c5ccd7e87c662b2221773d2046bf602a92e41cdfd83a97118c
Opcode Fuzzy Hash: 9927664a67bfd6dfafcd82d517650247cf1ddbb032a11e45c0552c16a118df61
Instruction Fuzzy Hash: F801B1B1714215DFDB15CF24D484A5AFBF2FF88311B008569E4068BB50CB35ED46DB90

Function 071C5B10 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8abe7b358ea673e221dcef8602b832934bc84509ab33daf3a152c191ed593e
Instruction ID: 39c56391ba7a8ee0434f3d5fd8254701acbafa6ab8824dc71ace6bfc84ee907a
Opcode Fuzzy Hash: 5f8abe7b358ea673e221dcef8602b832934bc84509ab33daf3a152c191ed593e
Instruction Fuzzy Hash: CA01D8B2E14109AFCF15DFA5DD44AEFBBB6FF98210F108139E108E7280E7309A158790

Function 075DC258 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56da48fcb054bb334216c12b2b59678d96b9ba3322312c9a2468b9cba1ec985c
Instruction ID: 71b8de8cc5a4752594283fa526ad1ea109e1b9a3918e6d9ef189d9ae4174ca26
Opcode Fuzzy Hash: 56da48fcb054bb334216c12b2b59678d96b9ba3322312c9a2468b9cba1ec985c
Instruction Fuzzy Hash: 0E0165B0E0060E8FDB04EBA9D9117AEBBB0FF89300F408529C815B7295EB759A01CB95

Function 071E9E59 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7be53b6e80115a240a25a689f13d52aea43d18a5009c91c0634832f3124b96b3
Instruction ID: bac92c3d7c6e031acc7afa51469b8bb088e56796c56a89bf323301ea592b87c9
Opcode Fuzzy Hash: 7be53b6e80115a240a25a689f13d52aea43d18a5009c91c0634832f3124b96b3
Instruction Fuzzy Hash: 59F04CB660C7426FC352CA29C48096BFBADEFC6630318C15BED08D7281DB71AC0687E1

Function 071E580B Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43765503935dff8dab0f3063376b2d3144cf44d8a829c49c050a89b88bce8601
Instruction ID: 6855b44047b65c061682f262fcfcbdb0286359d7f6ea7ca0546f7d552c075905
Opcode Fuzzy Hash: 43765503935dff8dab0f3063376b2d3144cf44d8a829c49c050a89b88bce8601
Instruction Fuzzy Hash: E50126B2A057415FC706DB68EC426BABBF9FF45210B04496AD119C7692D7305C04C7E0

Function 071EAE00 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086639c205e859f498c9c41b83b60cc225f678f1a18cd030f94ac56f916d8a0a
Instruction ID: ccd3ef2f960a325bada8ff4696452e3b52286c2a6b860ae989b7099c1823cf1e
Opcode Fuzzy Hash: 086639c205e859f498c9c41b83b60cc225f678f1a18cd030f94ac56f916d8a0a
Instruction Fuzzy Hash: 67F0B472B086258F9B189FA8B4044BA77EDEF4417171040ABE50DD7280EF31D8418794

Function 071E6C2F Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d03ab2bfd89df6bc576fcd52970a1cf454c9ca7d381c8199f12761ca6bf48a5
Instruction ID: be28898baa2fe4cee95da6309a1a352d46079b01b1acc1dce15165fb2490a812
Opcode Fuzzy Hash: 0d03ab2bfd89df6bc576fcd52970a1cf454c9ca7d381c8199f12761ca6bf48a5
Instruction Fuzzy Hash: 1FF0ACB0716B024FD73E0BB08560369B7A5EF82104F484C6DC94ACFB81CB35EC068341

Function 075D3A3A Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6900b88ba7a95a78ec5e7c1b6c822edd2340880bbb37ec3fffd5212aca9dc5
Instruction ID: 94843f67a055afd0abb8880cb722bcea4a41d6a42a07dfc70b3b77d13d6de883
Opcode Fuzzy Hash: fe6900b88ba7a95a78ec5e7c1b6c822edd2340880bbb37ec3fffd5212aca9dc5
Instruction Fuzzy Hash: 450178BAB1110AEFCB15DF98E554AEDB7F2FB88311F04802AE814A7394C735AD06CB41

Function 075DA6F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f983cc0a57d431b280e85dedb0f8efa5db5ec387ac5a0b8740cc0bd27ff2be7
Instruction ID: 54900f83bb638eb9cc55d8f111beeb2700994b3353608e8a2a20c57c31274a9b
Opcode Fuzzy Hash: 4f983cc0a57d431b280e85dedb0f8efa5db5ec387ac5a0b8740cc0bd27ff2be7
Instruction Fuzzy Hash: 9CF0A471A106089FC711EB69D8848DEFBF8EFD6210711456BD54597321D6315A09CBA1

Function 075D2F59 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c68a753b40f63a418244489573250b909cd5cf338340567a13b28777235defa
Instruction ID: 9faf20b1aaeaf8171e1af06b8320816860ee19db092ff9685751293658d310f8
Opcode Fuzzy Hash: 4c68a753b40f63a418244489573250b909cd5cf338340567a13b28777235defa
Instruction Fuzzy Hash: F3F09035304A54AFC705D729D884D2A7BEAEF8E72472141A6E508CB3A2CB61EC01CFD1

Function 071E07B9 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b908799c70720f3ef91785bb9a14d1fb121406416494af711585a1b90c16c0f
Instruction ID: ac34a9c3383cd49ca839ed30d230b744c33331e8f72c5383c0136b07a36753cd
Opcode Fuzzy Hash: 3b908799c70720f3ef91785bb9a14d1fb121406416494af711585a1b90c16c0f
Instruction Fuzzy Hash: E1F096716097915FD7228B36D940912BFF9EFC776032485AAD444CB252D721DC09C761

Function 071E6AC8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f22ca977c623ffee14eae801babcae5a9ed43815449f7d3dc90ffd21a8106980
Instruction ID: bcd3d3632ebb395b029ac8e011f41309e0e36638db5c69ece131b98a7f79b443
Opcode Fuzzy Hash: f22ca977c623ffee14eae801babcae5a9ed43815449f7d3dc90ffd21a8106980
Instruction Fuzzy Hash: 09F08271B055059FDB54DB7DE90562EBBE9EB8E21475082E8ED0DC7390EA32ED018781

Function 071EAE70 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5d5cdf2a54316aabd98e61e45356fafc3fbefd1362cf2f70ac66c9c8fec66f
Instruction ID: 72b9557e1c6b8fa86e6243be5936169e4cb975cd3063b97936de40b03bd502d8
Opcode Fuzzy Hash: 8c5d5cdf2a54316aabd98e61e45356fafc3fbefd1362cf2f70ac66c9c8fec66f
Instruction Fuzzy Hash: 68F0A7A1B0D7604FD71A1A74242616E7BBA9FC351074544E7D446DF6D6CE188C0793A2

Function 071E5818 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ae19be677e3b3e82030f8f617609c35e53d3004b8b47b5359440be10458fcc5
Instruction ID: 18c6c37a8874aae4fa97a41ac2e29c8a00d6bea51bad9a721648f242627f01a3
Opcode Fuzzy Hash: 8ae19be677e3b3e82030f8f617609c35e53d3004b8b47b5359440be10458fcc5
Instruction Fuzzy Hash: DBF03671A016155FD714DFA9EC459AFB7FAFB84210B448529D119D7640DB70AC04C7A0

Function 071C8EE9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b333d272576b3a50f60e473ff75aedb1f76c39c3ca28fc729e18d4323d3f594c
Instruction ID: 51c0444dbadb47891e535199ab6156357ea27414fb37ad832de268c9a7af66c8
Opcode Fuzzy Hash: b333d272576b3a50f60e473ff75aedb1f76c39c3ca28fc729e18d4323d3f594c
Instruction Fuzzy Hash: 37E0E5F62182615BC7284DEDA5C49363B9DDBB5661744056EE945821C2CF1AD84182A1

Function 075D2F68 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6be638cac949a6b9cd999f68cd6a975404a54c06a8924f7634375a3d54fda02
Instruction ID: 15a1e746d2440b51cd2ca164467ba8115fe39e1a16b0267c8207db0c15818e94
Opcode Fuzzy Hash: a6be638cac949a6b9cd999f68cd6a975404a54c06a8924f7634375a3d54fda02
Instruction Fuzzy Hash: BFF08C75300A14AFC304D66DD884D2A73EEEF8DB247218165E109CB761CA61EC018B90

Function 075DD828 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a8f46335b14a8470fe0d77cd7b5957024cc50fb98dffba49346dd18d33854b
Instruction ID: 4b2f51ea123bc6ba1af0b11a1bba56379c343cd67372041116fc4e7c92e34ede
Opcode Fuzzy Hash: a6a8f46335b14a8470fe0d77cd7b5957024cc50fb98dffba49346dd18d33854b
Instruction Fuzzy Hash: 5DF0CDB5E04308DFCB26CBA4C840ADCBB72FF89201F08409AE04597220DA34A853D740

Function 071E57D0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61245a5fdf1bc36bcbf7cf3289d706c3da983e63d82e72444aba9fc5976c7744
Instruction ID: d307b5bb6c258e627ca95ad95eb14a4de945b51741d36c76eb3641a8a7902f82
Opcode Fuzzy Hash: 61245a5fdf1bc36bcbf7cf3289d706c3da983e63d82e72444aba9fc5976c7744
Instruction Fuzzy Hash: 61F027B60087808FD3068F16F556AD47F76EB81224F0AC1D7D0844B0A3D735959BCB94

Function 071C1498 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9b5808f9b067f2507c5bb0087e3f74b69a89a3313ea2b7ac44d6767e5e5074
Instruction ID: ab842de46565425de26472b039433d7a650b849c0a6d6ea81d13b69af89ee161
Opcode Fuzzy Hash: 4f9b5808f9b067f2507c5bb0087e3f74b69a89a3313ea2b7ac44d6767e5e5074
Instruction Fuzzy Hash: A7F027F43493976BC30A8B71D5014A17FEA6F0619530500DBD808CF2C3DB11D885C7E2

Function 075D8DF9 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb6568a920b8686910b7f9886cda42b281065817bd930ea35278421e735773c
Instruction ID: 1ee17ceab6e632691f429c688f5499f82fc2061e0b826c8d937280a64b77554a
Opcode Fuzzy Hash: eeb6568a920b8686910b7f9886cda42b281065817bd930ea35278421e735773c
Instruction Fuzzy Hash: 25E02B3230C3400FE3162B386C107E7ABA29F95360F14456FD1C08B3D1CD764C828795

Function 071EC100 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb8fd6dcfa1d8c0c9da43e64d84add5362b50d5fdcb3da3ca3090c20a22fe92
Instruction ID: 75a8e2be35e4dce78316212da1f4a04ef1c671cc94cfd4a4c2ccecfe48d69d68
Opcode Fuzzy Hash: 1cb8fd6dcfa1d8c0c9da43e64d84add5362b50d5fdcb3da3ca3090c20a22fe92
Instruction Fuzzy Hash: 08E0D8F670D3D15F87071A6A28A50BA7F6EAADA03531900A7F909C3343EE54890A97A0

Function 071CAF40 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef592d081f14479fb9fc2dd226047da297285bf8827891143f48c13e0168870
Instruction ID: e7c45fcd0df4b39ee82e6cb23d869ee73d21d9445fb98b498b140ce59a176e1c
Opcode Fuzzy Hash: aef592d081f14479fb9fc2dd226047da297285bf8827891143f48c13e0168870
Instruction Fuzzy Hash: EEE0E5367005148FC708DA6EE544C9AB7EEEFC962631A80AAE509CB771CA71EC018690

Function 071C78A0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61cdbc1421786e18515c039ea89027f603a329ebeda0b1977ced9a3c7505190d
Instruction ID: c10db8e55e87411efa0ad11191b9a102899f1af39e2106510b163df9c21be548
Opcode Fuzzy Hash: 61cdbc1421786e18515c039ea89027f603a329ebeda0b1977ced9a3c7505190d
Instruction Fuzzy Hash: 4BE0ED367005108B8708D66EE544C5AB7DEEFC962531A40AAE509C7761CA61EC058690

Function 071C93A0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b5cbe16f96e0be06bc6c1a731d2fc56d36f7286fadeb5cebdd6dbd96e35e85
Instruction ID: 314b087b879b0eda60d7ad25521c0d5c5f3f56a6ff0337e3b65df333f58ef9c2
Opcode Fuzzy Hash: b0b5cbe16f96e0be06bc6c1a731d2fc56d36f7286fadeb5cebdd6dbd96e35e85
Instruction Fuzzy Hash: 65E0203171012997D72976BE680006B73C9FBC6950324557DE80DC3784EF25DC4183E5

Function 071C7138 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 008c472b6fffeed7246cadb47aa2637ab0ad9c687d58ad4442cd7ebc4609b06d
Instruction ID: 10bd41290315646518aa6697de790276a93d144226a550c038155c0a266f0ed8
Opcode Fuzzy Hash: 008c472b6fffeed7246cadb47aa2637ab0ad9c687d58ad4442cd7ebc4609b06d
Instruction Fuzzy Hash: D7F0E573604200EFCB018F94D880E9BBF2AFF893207158053FA088B246C631C812D7A0

Function 071E09E8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d33192768ea790a4d2d757c8d1b270139f03203a962f656e4ce6786c9caaac
Instruction ID: c9ebfad6127eccf7e31dc3b432eff7694067e722d98d5a47743b5a3374dc91d9
Opcode Fuzzy Hash: c9d33192768ea790a4d2d757c8d1b270139f03203a962f656e4ce6786c9caaac
Instruction Fuzzy Hash: D3E04F773101185BC7149A4EE404D9ABBADDBD87717148037F609CB360CA71DC5286A4

Function 071C1F78 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e690670f399b4f771502187d9d8a88041ea7c752b2a8049e416f31894878af
Instruction ID: cd7b83d4c5f09e6490a3b651b3b2dec54f031044918cb396395499aea963f716
Opcode Fuzzy Hash: 77e690670f399b4f771502187d9d8a88041ea7c752b2a8049e416f31894878af
Instruction Fuzzy Hash: 30E09BA66153D15FD706A77094604AA3F76AF8A12031541DBD988AF793CF149C0B87D2

Function 071C2EF0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd82a0c704e6023fc0eae4b7ab8347ac2a075c3af713e175a00fa69a0bcefe2
Instruction ID: e515fde6a8c49bd0bb3c17bf233827c2c8b840fc66a0030ed39dbec647dc7774
Opcode Fuzzy Hash: dfd82a0c704e6023fc0eae4b7ab8347ac2a075c3af713e175a00fa69a0bcefe2
Instruction Fuzzy Hash: E6E026B7B4020077CB108D99EC05DEB73AFAFE8621708892AF909D6300DA75E81683E0

Function 071C7148 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01111af64801130aa87090f8c16ca29ab36e323745bebbc64624b036a7ae7b66
Instruction ID: dff0e8bc687f2165384c3ddbe0ac6f2422d7f3cb76a5d08e196b9b21e31e8f2d
Opcode Fuzzy Hash: 01111af64801130aa87090f8c16ca29ab36e323745bebbc64624b036a7ae7b66
Instruction Fuzzy Hash: 18E04F32204248AF8B059E85E880C9BBF6FFBC92703148156FA088B256CA31DC12E7A0

Function 071EFD2D Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c014206b4f6a185863cc392220f638e4b0d48d340dac5bc3691a5ad10d313d
Instruction ID: fd4471734c38670744c7b8889bbcaed6aeb6fb1a610dc3bdf1eafae20a0b2de1
Opcode Fuzzy Hash: 44c014206b4f6a185863cc392220f638e4b0d48d340dac5bc3691a5ad10d313d
Instruction Fuzzy Hash: 7CE09276714601EFCB958F65E404894FBB6FB86231B00C066F9068B251DB31C915DB40

Function 071C786F Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac60f2c8c43be3e8c273a2e30c67eaf98b8c925aa7070d0c6d3a48162ce34532
Instruction ID: 540774103d524346c4a0982597c2f8c028aecf2e5551a6021248dd1fb522506d
Opcode Fuzzy Hash: ac60f2c8c43be3e8c273a2e30c67eaf98b8c925aa7070d0c6d3a48162ce34532
Instruction Fuzzy Hash: B1E0DF3A3242408FC3109B7CE809C857BE4EB0663431500E7E108CF6B2CA20E8018B50

Function 071EC110 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c37b2aced791a060af6ec2cad89fb9feab6dd7ce0d181540f0ca5b26a041cda3
Instruction ID: 72fbc42b208943e64c80acf62b0c6d0e7d403681a45ca14e584fdf06845454ff
Opcode Fuzzy Hash: c37b2aced791a060af6ec2cad89fb9feab6dd7ce0d181540f0ca5b26a041cda3
Instruction Fuzzy Hash: F2D05E72319255170719154E6C8846BBE8EE7C9536314403AF909C3300DEA08C0652A0

Function 071C2F00 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71b2cb6133c5720b162e981b5a558273716513574f948142a9dd99e662f5e78
Instruction ID: db20e8f7f23a8ba09f6a7358b9842d960365cf94867a3d88efac62a12710ffc5
Opcode Fuzzy Hash: a71b2cb6133c5720b162e981b5a558273716513574f948142a9dd99e662f5e78
Instruction Fuzzy Hash: 2ED0CD33300304778F145D96D800C9B776FDBC8620304802DF90186200CA71AC1197A1

Function 071E6B30 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b9e3bc50c167b98db601590c62ed8f29d624c3334bad8bd5e8b52144de5a3a4
Instruction ID: 92b5635bbbe4fed6f27425386dd9b5c3721ee38ed1628717a24cce63281c96c4
Opcode Fuzzy Hash: 1b9e3bc50c167b98db601590c62ed8f29d624c3334bad8bd5e8b52144de5a3a4
Instruction Fuzzy Hash: EFD05E333542249FD350DBB8F908E93BBECDB48665B0140A6E20CCB261DA62DC008780

Function 071E5888 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c714bb76ec4c01778a2361894ced4ffeb15e33c81b22d9f72801a257fd6ab628
Instruction ID: 2046cd3abbab9fa8ff40918114a751508a1c5e1a824eb9957e6eed0395ee1959
Opcode Fuzzy Hash: c714bb76ec4c01778a2361894ced4ffeb15e33c81b22d9f72801a257fd6ab628
Instruction Fuzzy Hash: DEE01732340614CF8314DBA9E484C92B7E9EF8927A35444BAE50EC7721DB72EC50CB80

Function 071C1F88 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 250bebe0496cefe1da8f0b304b661e7e8bc5f28aa0a4bc2e556d7819dd251856
Instruction ID: 217f43787b9fc9f37527721e846d3fdb25c891b3b4cd06893caf788011f6e414
Opcode Fuzzy Hash: 250bebe0496cefe1da8f0b304b661e7e8bc5f28aa0a4bc2e556d7819dd251856
Instruction Fuzzy Hash: EDE0C2F17002245B8708F794E58086A33ABBF8811035102E8E90C6F7A5CF24EC0347C6

Function 071C9B00 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ecf8787b06175812084df2c2640fa8f9bcd10a2141216e19065bd276168d113
Instruction ID: 0d7dac5a5a19a01f918710a75256f38214c9314267f8b703163cbbbc8e9c8fc3
Opcode Fuzzy Hash: 0ecf8787b06175812084df2c2640fa8f9bcd10a2141216e19065bd276168d113
Instruction Fuzzy Hash: 4AD05B73340714678B145D5AFC05C6BB7AFDBD8621349853EFA4587240CE719C1257E5

Function 075DA5E0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97416e8fac3ac21de0752efa5b4f6ecb93f432d7ec02bdea40d702a88b87937
Instruction ID: bd3acfd618f015f0c01c578558dbf01d1f182163f710af1adea759aacd99447e
Opcode Fuzzy Hash: e97416e8fac3ac21de0752efa5b4f6ecb93f432d7ec02bdea40d702a88b87937
Instruction Fuzzy Hash: 64E012322442449FC7428B90E4028F97B70EB572B171181A7E8458BA63C23699028B91

Function 071EB403 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9d2e3d57070e5370d6924ef0d5a7f44b0ebd48558c864d01c0799ee646b47fc
Instruction ID: 27993f5e7addcd0d2ffc826e46be9c72cad675e3732fb8f9c91314636d80d45e
Opcode Fuzzy Hash: d9d2e3d57070e5370d6924ef0d5a7f44b0ebd48558c864d01c0799ee646b47fc
Instruction Fuzzy Hash: FEE01736F00105CFDB10CFB9E4245D9B7F5FF89625B15446AE545CB621EB3588128F40

Function 071C938F Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3ed126db8ad790d414269367fc17e5b71d84d1f56a8bb545317742bd3a4e96f
Instruction ID: 87a53e699fed7b1c2a08f707b86c3d982f476ac1d7b46b005498f63f96a127a9
Opcode Fuzzy Hash: d3ed126db8ad790d414269367fc17e5b71d84d1f56a8bb545317742bd3a4e96f
Instruction Fuzzy Hash: 59D02272B10011A3D30044FAB80A6D6378CEB208A0B50A43198CAC2AC0EE04D40301E7

Function 075D7FD2 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99abb1d7b1f13c6da29adf6dc73126b2a9cb77a70e950f2618c718ce92e79ac9
Instruction ID: 8521b8f4c6b397ea0a103377a219768926b112e0ace399778d6a70cdeb577892
Opcode Fuzzy Hash: 99abb1d7b1f13c6da29adf6dc73126b2a9cb77a70e950f2618c718ce92e79ac9
Instruction Fuzzy Hash: 24E0C2B2A092804FDB144A28E444A2ABBE2DFD4211705C99DE5A9C7704C625EC05C780

Function 071EB970 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27469a44b28ad8fe49879fc309111768222ae8374be84019ea2772487db8b022
Instruction ID: e7ad58455c0cfb41314d3f9500d63abd5b786d5ab5067f87ed74b2948fc4b7e9
Opcode Fuzzy Hash: 27469a44b28ad8fe49879fc309111768222ae8374be84019ea2772487db8b022
Instruction Fuzzy Hash: BBD05EF4B28459DFCB289A68D024CE8B7B9FF8562571140F5D246CB2A1DF2188168742

Function 071EB9BA Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03b14d9cd938e9c00dddce0a2ca11425db9cb7d638029b45aa6e84dae85c4cd1
Instruction ID: 394577e4788130dd9ec965ab73a49686ed8d937d8a4d2b4c295749df15bbcf96
Opcode Fuzzy Hash: 03b14d9cd938e9c00dddce0a2ca11425db9cb7d638029b45aa6e84dae85c4cd1
Instruction Fuzzy Hash: 39D05EF4B184498FCB289A68D014DF877B9FF8561571500B5D286CB2E1DB3088168B42

Function 071EBC09 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 298b385a8739e508a6cd78227ddac55a85979d996a3c32cfd11fcaf460973781
Instruction ID: 7f32947e940d83a5465730ec41cee7d0197bca2cb2e817217709c406afc5a1db
Opcode Fuzzy Hash: 298b385a8739e508a6cd78227ddac55a85979d996a3c32cfd11fcaf460973781
Instruction Fuzzy Hash: FBD05E34B601088FDB149BB8E0249D977B4EF4562575200B1D259CB661D721C9168B80

Function 071EB800 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bdf7cc3f92bc9276a55a61dd3aa4bfa9bdfc479c8364e531aaa2a758dbfee00
Instruction ID: 165a04df6a10c1f5991127e487c7a0b052c1d830839b41e87a173cf24394b0a0
Opcode Fuzzy Hash: 5bdf7cc3f92bc9276a55a61dd3aa4bfa9bdfc479c8364e531aaa2a758dbfee00
Instruction Fuzzy Hash: 9FD05BB4B14449CFCB249768D015CE477F5FF45615B1540B5D145CB291DF2099118741

Function 075DF182 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c4421d44600fc77c5631e217a97944bfb5e6db2b010262e23159a9190bb12d3
Instruction ID: 284a43972d29376b375d7de8be05d22633a39d50a62149a32bb6fc1c1e5b735c
Opcode Fuzzy Hash: 3c4421d44600fc77c5631e217a97944bfb5e6db2b010262e23159a9190bb12d3
Instruction Fuzzy Hash: 71D05EA1A083568FDB3646B9DC100E137607F835317594393C8B2CAAE3C91A890283B6

Function 071EAE60 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac79e342d6607c1ccd845679a82db92c92eb4058efcd1636e56a52b7070c0c0b
Instruction ID: 4870eae86ba2da3b26146a3629c26cf440229ce7d23e5bb531f514829ff392a1
Opcode Fuzzy Hash: ac79e342d6607c1ccd845679a82db92c92eb4058efcd1636e56a52b7070c0c0b
Instruction Fuzzy Hash: CED0A77150C7D85BC39356296844099BF9CCF82921B284096DC8CC7182DA14198287E3

Function 071EC0D8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74d5eee106f409b253cc0a58c1298628ba406e420ff92edf75d4f74363e8b1eb
Instruction ID: 16207133989abb220940817adf2f067ef8326da37e7fb1d889dbbf22cf89d111
Opcode Fuzzy Hash: 74d5eee106f409b253cc0a58c1298628ba406e420ff92edf75d4f74363e8b1eb
Instruction Fuzzy Hash: ABD0927950A3C28FC7079B30C455544BFB1EE9361532A80DBD08ACB663D72ADE9ACB11

Function 075DA5B8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b05b1ff4e5a237d86ae665d64a87999189f964b6ade05110a58998a2288d85
Instruction ID: 01880a2832565cfc7612e41f0ef77bf8423f1494749b1ea2e2e4929fa8cf2329
Opcode Fuzzy Hash: 76b05b1ff4e5a237d86ae665d64a87999189f964b6ade05110a58998a2288d85
Instruction Fuzzy Hash: 97D0C92B5197C55EC30277B8B4120E97FB0EE572257159A83C1809A823D7191998C3A3

Function 071EB4A1 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 696de6d24564ae342630f487c65373ad6d617ddbd2a27fa25e2099e753fc29b0
Instruction ID: 1bc5738b54aa78ae1e5926981cda9bd57b7c6f05b89d8dfa3db175f8c3ad9b27
Opcode Fuzzy Hash: 696de6d24564ae342630f487c65373ad6d617ddbd2a27fa25e2099e753fc29b0
Instruction Fuzzy Hash: C8D0A770B000188F8B04CB98E5004DC7BF1FF8421570100B5D209CB650D730CC014740

Function 071CBB11 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e34a36bf1e091b715cb210987a409561ddee69cc05292fb7041f1a3a9459252
Instruction ID: 22bb6a18aa8bf54adcc8cfc06417c1f34a6d910d3d80e1abc3e69807be16e91f
Opcode Fuzzy Hash: 6e34a36bf1e091b715cb210987a409561ddee69cc05292fb7041f1a3a9459252
Instruction Fuzzy Hash: B6D012361583944FC31297B8F819DD17FB85B0BA34B0681C3E148CF573CA15ED448AA2

Function 071EB674 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 122a5e408fcd462fa17fb7368bc7b8f2859963b549cfe2e62a0c7f19228b6cb0
Instruction ID: 39c4500998058565de64b6467ea8e6f931fa3f6524d1bd0650ae63d88af94fad
Opcode Fuzzy Hash: 122a5e408fcd462fa17fb7368bc7b8f2859963b549cfe2e62a0c7f19228b6cb0
Instruction Fuzzy Hash: 15D01235B444048F8718DA98E4508E873B5EFC5626B4100B5E306CB670DB30DC568B90

Function 071C7F9F Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d89e4a518e2ae83ae0947e5a7b53988807b104fc983a5c72fe35fae78dd20682
Instruction ID: ff21eea33fdfcee134d271ccb5cd0434ff5cc843ea43645c9755dbe78460758b
Opcode Fuzzy Hash: d89e4a518e2ae83ae0947e5a7b53988807b104fc983a5c72fe35fae78dd20682
Instruction Fuzzy Hash: 3FC08C32E04130EBC3105F28B8422C1B3E8FF44966B02C07AE80C82A01C63C5987CBD1

Function 071C4E58 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd06f21766aefb76d8a8068d861b7db5d51985497e98d97db1b3f759f213adf
Instruction ID: 3b6e02a1266f9fe1a9cfd563eb8934501cc3515602ae4ad8975831ca0323dd8a
Opcode Fuzzy Hash: 1cd06f21766aefb76d8a8068d861b7db5d51985497e98d97db1b3f759f213adf
Instruction Fuzzy Hash: 36D0127185934D5FE3516B34E521A503B68DB11604B404591E19C860D2D61C6C4E8F41

Function 071C7DC0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d130464cf129331de6ab8783d0f6735faec1d349769a84be50c5769530c33f8
Instruction ID: 804d37a3512dac742c031a8463e89a8f252d699ac504cea8475fbe5424a61e44
Opcode Fuzzy Hash: 3d130464cf129331de6ab8783d0f6735faec1d349769a84be50c5769530c33f8
Instruction Fuzzy Hash: 89C080758946449FC3009778E455DC07BD8DF15611B014196E00C47531C917F885C740

Function 071CAF11 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 794587163c7b53677b66c2d27b917fdcc177020c4a862239efb1f5a0ebc5bf80
Instruction ID: f1161a88dcc7f7b483129bdbc187dc1d1088e4095954668b305be13649da4936
Opcode Fuzzy Hash: 794587163c7b53677b66c2d27b917fdcc177020c4a862239efb1f5a0ebc5bf80
Instruction Fuzzy Hash: 9CC012750682048FC7008B39D444D207B98EF14A01B1240D4E1488B262E251E8108F41

Function 071C7F60 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc2b92a10b5977840f1f9e2ed0ddc481898c3baf35ded1b9c525bf79c446677
Instruction ID: 46549124dc4215c4f4639daf7c4758c909eb0e7bcc26873807306b5f7b11e6e9
Opcode Fuzzy Hash: 9fc2b92a10b5977840f1f9e2ed0ddc481898c3baf35ded1b9c525bf79c446677
Instruction Fuzzy Hash: DFD01234458715CFC7008F24D484A5077A8EF08628B21C0F9E50C47562D33AF805CF51

Function 071C4D70 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 493851c39095f76575fc87628a033a5871a02d3d6ea9c7f87117d5e17a100d2a
Instruction ID: a96e626b1cbc0d3aa9e356fd831a7c3408cafb2a52bb1b5c4e37cc25a8cd35fd
Opcode Fuzzy Hash: 493851c39095f76575fc87628a033a5871a02d3d6ea9c7f87117d5e17a100d2a
Instruction Fuzzy Hash: DAC08C1104E2C00FDB020330291A8E03FA18F8222038A44C3C0C0CE0F3C62C628BCE93

Function 071C4E31 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bfdc489190f500e257621769e6e580583aaab807d36382a29295b1cd55302da
Instruction ID: 1595cd5c72360a71e777f48893a823fd0bf2df011c27f99da47a629f3142105b
Opcode Fuzzy Hash: 9bfdc489190f500e257621769e6e580583aaab807d36382a29295b1cd55302da
Instruction Fuzzy Hash: ECC08C3061838E0FFF869778C1603613BA1EBA5344F1818ED8294CF1C2E624DC0A8F51

Function 071C5220 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b177d0cb75a452a7b12a1585bf8e45c51d56e6fcfbf45b5bd5e66db158316dfc
Instruction ID: b42290174a20bdd99d7afe93d43bc237f701f52326707146a9d66e5c50d262f5
Opcode Fuzzy Hash: b177d0cb75a452a7b12a1585bf8e45c51d56e6fcfbf45b5bd5e66db158316dfc
Instruction Fuzzy Hash: 29C08CBA508201AFDB028A688640BA4BF90FF70B01F008415A14880084D27D44B8E752

Function 075DA5F0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction ID: 61412fa5721fa0801f19765b42d0f6ac58f054d2697597a3f249e516f761f0d5
Opcode Fuzzy Hash: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction Fuzzy Hash: 87C00235140108AFC740DF55D445D95BBA9EB59660B1180A1F9484B722C632E9119A90

Function 071CAF20 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de847a0528bbc7a7393f5e98ae606a4b181b211cc876a90962d2b0a83971d2f4
Instruction ID: 03308a7015262dc60266e0276a8c8d94ddd012c5f0dd28833018c3f95f56e0d9
Opcode Fuzzy Hash: de847a0528bbc7a7393f5e98ae606a4b181b211cc876a90962d2b0a83971d2f4
Instruction Fuzzy Hash: 7EB092341602088F82009B59D448C0077ECAF08A0434140D0E1088B632C621F8008A40

Function 071C7F70 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
Instruction ID: a0ccf6e4bed68dc0c69f5d0bbd707ad7c253f4111acce2a0e91a8f8d8fd4bd45
Opcode Fuzzy Hash: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
Instruction Fuzzy Hash: 03B092351602088F82409B68E448C00B3E8AB08A243118090E10C8B232C621F8008A40

Function 071C4E68 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9050f8bc8a4b11f6bd062218a52e23c9005084d228c9e2e3e5f0d2665eea0a0e
Instruction ID: 365d096e6203005244c8ab171f23e2f61d715f6192dfede43a4b35a52b87bfa0
Opcode Fuzzy Hash: 9050f8bc8a4b11f6bd062218a52e23c9005084d228c9e2e3e5f0d2665eea0a0e
Instruction Fuzzy Hash: 9BB0123141430D4BC6107B50F915D54333CA5402487800510E11C09426DA6C788B4685

Function 071CBB20 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
Instruction ID: a0ccf6e4bed68dc0c69f5d0bbd707ad7c253f4111acce2a0e91a8f8d8fd4bd45
Opcode Fuzzy Hash: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
Instruction Fuzzy Hash: 03B092351602088F82409B68E448C00B3E8AB08A243118090E10C8B232C621F8008A40

Function 071C7880 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
Instruction ID: a0ccf6e4bed68dc0c69f5d0bbd707ad7c253f4111acce2a0e91a8f8d8fd4bd45
Opcode Fuzzy Hash: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
Instruction Fuzzy Hash: 03B092351602088F82409B68E448C00B3E8AB08A243118090E10C8B232C621F8008A40

Non-executed Functions

Function 071C6B60 Relevance: 1.7, Strings: 1, Instructions: 439COMMON

Download Yara Rule

Strings

%, xrefs: 071C6F45

Memory Dump Source

Source File: 00000000.00000002.1270061895.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71c0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 556f805f24e96f99de3d8b445b325d6a6cd4adf50bd0d473e16b770bf9ee93b5
Instruction ID: f4e3c9d57515e48fbdf6e899cfedb1f933c08184c5ee28f9c47ff509e12f0fb3
Opcode Fuzzy Hash: 556f805f24e96f99de3d8b445b325d6a6cd4adf50bd0d473e16b770bf9ee93b5
Instruction Fuzzy Hash: 4F024AB0A00209CFDB19DFA5C884AAEBBB6FF88300F14856DD515AB395DB75D806CB91

Function 071E1578 Relevance: 1.3, Instructions: 1272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270402973.00000000071E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71e0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c687891e8bdd78049810397ae2807d12dcdc622ef69c235ec456e9bfb7113bdf
Instruction ID: 3c3c41ac324b7a752c51cd9320e601336f9cd48d3f1df76c3e445508c4005ee7
Opcode Fuzzy Hash: c687891e8bdd78049810397ae2807d12dcdc622ef69c235ec456e9bfb7113bdf
Instruction Fuzzy Hash: A7C237B0A00619DFDB25DF64C894BADBBB6FF49301F1085A9E909AB390DB359D81DF40

Function 0767A4A1 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271689458.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7670000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b86204a09c1b516cd60096641f5ae32c45d4259eae8acb48db5a951baeeee5
Instruction ID: 6b7aa0ff2f59b4332e7a5b0958617711faa0d93fcaab53607642aa18e71b18e5
Opcode Fuzzy Hash: 23b86204a09c1b516cd60096641f5ae32c45d4259eae8acb48db5a951baeeee5
Instruction Fuzzy Hash: 5AE10BB4E002598FDB14DFA9C5909AEFBB2FF89304F24C169D415AB356D730A942CFA0

Function 0767A072 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271689458.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7670000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72409dad9834764b0c670dfc01c0b3d26e3ed3e3230dac3644c1e721901c16a4
Instruction ID: 8edc152db67d33210671f7140ccb05147851817c7bd3c83f9800fdf21b66e280
Opcode Fuzzy Hash: 72409dad9834764b0c670dfc01c0b3d26e3ed3e3230dac3644c1e721901c16a4
Instruction Fuzzy Hash: 8EE109B4E002598FDB14DFA8C594AAEFBB2FF89304F248169D415AB356DB319941CFA0

Function 0767C0E8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271689458.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7670000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f21d77106f488d8edcb8331585d93f4e8b7e457d26bcb4d2c3d9c7c802bdc3
Instruction ID: a928e87254292573c662b712b16debbe740cb013d7aea395061d5e4e828ca628
Opcode Fuzzy Hash: b8f21d77106f488d8edcb8331585d93f4e8b7e457d26bcb4d2c3d9c7c802bdc3
Instruction Fuzzy Hash: DEE109B4E00259CFDB14DFA8C590AAEFBB6FF89304F248169D415AB356D731A941CFA0

Function 0767BCB0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271689458.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7670000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d150ad7cf561120cc07d50db9bcb4f5168c536339cf73c82d2d7bccf948390a1
Instruction ID: c2ee77a9a537951cc117cee781a0f8bdd9b497253dbd76caf08da22f6ffc1f14
Opcode Fuzzy Hash: d150ad7cf561120cc07d50db9bcb4f5168c536339cf73c82d2d7bccf948390a1
Instruction Fuzzy Hash: ECE11DB4E002598FDB14DFA9C5909AEFBF2FF89304F248169D415AB356D7319941CFA0

Function 0767CA98 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1271689458.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7670000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a50b1e3a944936f6367795e0bd4005c4440fec2d9f17bc22d0c721f6ddcb39
Instruction ID: 1b8e6ab4dd10acc921ab1bfdc758b84be0d03a0a06a8fedd9e908cc1822244ef
Opcode Fuzzy Hash: 82a50b1e3a944936f6367795e0bd4005c4440fec2d9f17bc22d0c721f6ddcb39
Instruction Fuzzy Hash: 76E1FBB4E002598FDB14DFA9C590AAEFBB6FF89304F248169D415AB356D730A941CFA0

Function 075D5E48 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfec1a32f24d4a5be90653d1a129378a33e982708fee0585906443f3cbaa53d0
Instruction ID: b69ee0d9e74071e02f44ec156aa9189e1213b8facec64d777ec829754190c89a
Opcode Fuzzy Hash: dfec1a32f24d4a5be90653d1a129378a33e982708fee0585906443f3cbaa53d0
Instruction Fuzzy Hash: EDC17FB5B002028FDB28DB69C5846AEB7F2FF88200F558569D506DB391DF34EC4ACB91

Function 0158E22C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1257455747.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1580000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db02802eaaf4f8465be23a62477376feeb16c0841cffd67656fb61692f59859d
Instruction ID: 2182a08467097ea9c807bc4681c862348ac27580dc4772c709466222f5d86f03
Opcode Fuzzy Hash: db02802eaaf4f8465be23a62477376feeb16c0841cffd67656fb61692f59859d
Instruction Fuzzy Hash: 15A17F32E1021A8FCF19EFB5C84059EBBB2FF89300B15456AE906BF265DB71D915CB80

Function 075D9598 Relevance: 6.5, Strings: 5, Instructions: 204COMMON

Download Yara Rule

Strings

C, xrefs: 075D974E
B, xrefs: 075D9749
C, xrefs: 075D969C
?, xrefs: 075D9629
B, xrefs: 075D9697

Memory Dump Source

Source File: 00000000.00000002.1270900434.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID: ?$B$B$C$C
API String ID: 0-1150723364
Opcode ID: b748d4575637460faaca6fd7d0ac02097f8eba86376e883d80a66a02b1846fbc
Instruction ID: 383ebd6e0316b34eb10cb4210c37acd1b606d2347814086fa23e6f0979737be7
Opcode Fuzzy Hash: b748d4575637460faaca6fd7d0ac02097f8eba86376e883d80a66a02b1846fbc
Instruction Fuzzy Hash: 09817DB5E10209DFCB29DFA8C5809EEBBF2FF89210F14856AD4066B351DB31AD45CB91

Analysis Process: HALKBANK EKSTRE.exePID: 320, Parent PID: 6256COMMON

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	26.3%
Total number of Nodes:	57
Total number of Limit Nodes:	10

Executed Functions

Function 0172C530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 0172F910

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 8eee7f8f6a0bc954d255671fcc9c2ada98a01637ffc01338a3b72ef3af063826
Instruction ID: ad01f55dd80c30025b8974845a63329188fb2aaffe73e0e6369b98dafb4d8913
Opcode Fuzzy Hash: 8eee7f8f6a0bc954d255671fcc9c2ada98a01637ffc01338a3b72ef3af063826
Instruction Fuzzy Hash: AB73D671D1075A8EDB11EF68C844A99FBB1FF99300F51C6DAE44867221EB70AAC5CF81

Function 058F0AB8 Relevance: 3.5, APIs: 2, Instructions: 527
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 058F0D70

Memory Dump Source

Source File: 0000000B.00000002.2468113205.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_HALKBANK EKSTRE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 37801cf16bf861b41353ef3bff7c7434924ca53868c8fb947a0e57ab807d4b49
Instruction ID: 435391b618fefca9c0fa12a417ba192c2253ac8abcc9ef0e7ecceb5ff39dc50e
Opcode Fuzzy Hash: 37801cf16bf861b41353ef3bff7c7434924ca53868c8fb947a0e57ab807d4b49
Instruction Fuzzy Hash: 17221774E00219CFDB14DFA8C988B9DBBB2BF88304F1081A9D949AB356DB359D85CF51

Function 058F0CD8 Relevance: 1.6, APIs: 1, Instructions: 88
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 058F0D70

Memory Dump Source

Source File: 0000000B.00000002.2468113205.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_HALKBANK EKSTRE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8fc1e6e76f5fd5d041e79afb29c510fc7fbb24f2a5ac58e9b6ad86022d76a3e7
Instruction ID: dd2888707e345da2ecd71863d33e89fc9d0d9c7b127473910d0db88b86ce33f5
Opcode Fuzzy Hash: 8fc1e6e76f5fd5d041e79afb29c510fc7fbb24f2a5ac58e9b6ad86022d76a3e7
Instruction Fuzzy Hash: 9B3103B1D01618DFEB18CFAAD8887DDFBF2BF88314F14C22AD419A72A5DB7049458B00

Function 058F5AD8 Relevance: .3, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.2468113205.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6a73400ee2786f24adc83cfac3248a4823181550ecb8685443509ec5074435
Instruction ID: 66274fdf42cb30509667bd0fe6c8ad410113f3b2a4d26d967d28f051857a899f
Opcode Fuzzy Hash: 1d6a73400ee2786f24adc83cfac3248a4823181550ecb8685443509ec5074435
Instruction Fuzzy Hash: 82E1A074E01218CFEB24DFA9D944B9DBBB2FF89304F2081A9D809A7294DB355E85CF51

Function 01729480 Relevance: .3, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4401860b36b5bef724ea396b4f8dfbaeffaf6dd718a378314cbfd981ac51860
Instruction ID: 92d2d56c4649c7f6a81aa904cb63c3a7fc1e1262a22ff0721caa2fc2ab9aae4d
Opcode Fuzzy Hash: e4401860b36b5bef724ea396b4f8dfbaeffaf6dd718a378314cbfd981ac51860
Instruction Fuzzy Hash: 03C1A074E00228CFDB14DFA9D998B9DBBB2FB89304F2480A9D809A7354DB355E85CF51

Function 01722DD1 Relevance: .3, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7e2a7eec3a2286e2358180a6dd6b507a1d37802fdafb688b8f366ce675dc758
Instruction ID: e95f5dbb2f1fedfca048701e4ce6865351357be11dcf9a5814358c9d277ce236
Opcode Fuzzy Hash: e7e2a7eec3a2286e2358180a6dd6b507a1d37802fdafb688b8f366ce675dc758
Instruction Fuzzy Hash: 62918530F04324DBDB28DB75985867EBBB3BFC8700B05856DE516EB284DE3999039792

Function 0172C521 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de4f4bd45470c5a5271262a4a5e2da9cb4d1bcf63375d7225b146cfb479238a4
Instruction ID: b79323877881a2f72c482cec66dbfb4c18e09574d752675fd74b7d44fe87b71b
Opcode Fuzzy Hash: de4f4bd45470c5a5271262a4a5e2da9cb4d1bcf63375d7225b146cfb479238a4
Instruction Fuzzy Hash: B5A12671D0165A8FDB11DFA9C8447DDFBB1EF89300F50C6AAE418A7261EB709A85CF41

Function 01729A40 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f4cb270f5f51cba7ae601ca9da9aae945df69cc66bbbe237b9ed2f59917c33
Instruction ID: ec48c8290f24070598de13274f266c37e3bdcab542e4bf3aa38e385e08c536b1
Opcode Fuzzy Hash: 60f4cb270f5f51cba7ae601ca9da9aae945df69cc66bbbe237b9ed2f59917c33
Instruction Fuzzy Hash: CDA11570D00218CFEB24DFA9C588BDDBBB1FF89314F248269E509AB291DB749985CF54

Function 01729A30 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a452be0228811d0b3df14f60a517754641598bd1b4c6a081f5748ad7864b45e
Instruction ID: 80dd88f784e326b69d931947776469c3fa9ade1f1db0c09ee8d8fd3013d4d091
Opcode Fuzzy Hash: 9a452be0228811d0b3df14f60a517754641598bd1b4c6a081f5748ad7864b45e
Instruction Fuzzy Hash: E9A11470D00219CFEB14DFA9C988BDDBBB1FF89304F248269E509AB291DB749985CF54

Function 01729D87 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ce4b47e578278792535fcd8966bc68552575dc1a507cf521188f433c41475b4
Instruction ID: ec9a6877403b2d8bf0da33052b54e83335cbc73960c3a82ccf48ea6978400820
Opcode Fuzzy Hash: 9ce4b47e578278792535fcd8966bc68552575dc1a507cf521188f433c41475b4
Instruction Fuzzy Hash: EC91E370D00228CFEB10DFA8C588B9CBBB1FF49314F2482A9E509AB291DB759985CF15

Function 0172946F Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da58894be185c990a28d84c972c985a5f9ded4f676bf5b296787431eb230504
Instruction ID: ac0e0262f85f3cdfd68a0ebf7bf7fbdd3f5a63d5e079f9c6a6a25b64412978bb
Opcode Fuzzy Hash: 6da58894be185c990a28d84c972c985a5f9ded4f676bf5b296787431eb230504
Instruction Fuzzy Hash: 3E41F374E01258CBEB18CFAAD85469DFBF2BF89304F24C02AD519AB355DB344946CF50

Function 0172AD3D Relevance: 1.7, Strings: 1, Instructions: 462
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 0172B015

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 750c426756da6a80dbf8d42bc9426ac10a6325ffda5222b4f5350897babcf9fa
Instruction ID: de0f774e0ee9a3854faa7ffdfb91d4c571a6990b2cee4c0402816e52f92ebcdb
Opcode Fuzzy Hash: 750c426756da6a80dbf8d42bc9426ac10a6325ffda5222b4f5350897babcf9fa
Instruction Fuzzy Hash: CF61D9307042159FDB26AF78A45922DBBE6FFC5221F24852DE5169B3D0DF358D02C791

Function 0172AF78 Relevance: 1.6, Strings: 1, Instructions: 316
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 0172B065

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: bcaa1ca8f2973d8fd5479b3c1a7e8597841bf9272e65587fae2c6cb4654b42fc
Instruction ID: e1dbd1f80ffdbe6576455a6a85f589cb4072e43aa4655584f1b90713ebfe039e
Opcode Fuzzy Hash: bcaa1ca8f2973d8fd5479b3c1a7e8597841bf9272e65587fae2c6cb4654b42fc
Instruction Fuzzy Hash: 37B1E4307042159FDB269F78A89962DBBE6FFC5220F24852AE6268B3D1CF359C02C751

Function 058F10BC Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 058F11FE

Memory Dump Source

Source File: 0000000B.00000002.2468113205.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_HALKBANK EKSTRE.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0e061c5740dccac61ba024a236295301a095d27104f88c395fd98e33a28f252e
Instruction ID: 4dc39b5d8363ec7fadf25dbeac6031c4a424a74f5bd95d314d20cfc3c7894140
Opcode Fuzzy Hash: 0e061c5740dccac61ba024a236295301a095d27104f88c395fd98e33a28f252e
Instruction Fuzzy Hash: 18114C74E05219DFDB04DBA8D988EADB7B9FB88304F548165E904E7246D730AD81CB61

Function 0172B500 Relevance: .4, Instructions: 383
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b8c83431ac8f2ed93d6a91e9b96391c55c21ac0a8a98c102e9f17cc3f4e008
Instruction ID: 12558c35135b38dd9aab2e8903084fb839fe3f6faf9c2bfb1ce16c9c21d40322
Opcode Fuzzy Hash: 07b8c83431ac8f2ed93d6a91e9b96391c55c21ac0a8a98c102e9f17cc3f4e008
Instruction Fuzzy Hash: 19D1D431B042148FDB25DB6CD894AADBBB6FFC9320F244069E505EB3A1CA75DC46CB91

Function 0172BF80 Relevance: .2, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa8f6606e71ebc78d18b19da92c5a7a49c9ec06f2153be0a43e1cddcd2e62d83
Instruction ID: 54c5a416da60db6649b1ed24b28bd49d39d8ee62a3c23a8fbfcad2c51739323c
Opcode Fuzzy Hash: aa8f6606e71ebc78d18b19da92c5a7a49c9ec06f2153be0a43e1cddcd2e62d83
Instruction Fuzzy Hash: B161F476B002159FD725CBBCDC44AAEFBBAEBD9324B14852AE519D7340D635DC0287A0

Function 01722BE4 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b728949adfe91c383c4d99293f38c5e431f30a737f6d9c6757cf8d1eee11ec74
Instruction ID: 7d9482475308800bbd5b0d537d47f252f5971afeff3df5fe3f619da17613f690
Opcode Fuzzy Hash: b728949adfe91c383c4d99293f38c5e431f30a737f6d9c6757cf8d1eee11ec74
Instruction Fuzzy Hash: B8514E72B242354BDF2D0598C89E3B5EFB3AB99230B4C016AE943D72B7D674D8C74249

Function 01720B20 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d9b8a52faf63a05cb4bf8398b7b45575def6885b7980a3fb37f5f4261f3a36c
Instruction ID: 8d177b7ee6edc34b4b2fb936be242f83ab4cb31bc50063ba2e328c2d409f19c9
Opcode Fuzzy Hash: 9d9b8a52faf63a05cb4bf8398b7b45575def6885b7980a3fb37f5f4261f3a36c
Instruction Fuzzy Hash: 00A1EAB4E0020ACFCF14DFA8F988A9DBBB1FB89314B504169E415AB355DB396D06CF91

Function 01720B30 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd12a1e624b281c0f3976e50ae86d3568babe9c96f0e25a3c2ba215f51bd6e25
Instruction ID: ed52f1499c971b8afc54d442f76b185b00fce3972b5c7fb9be5a108e7e9e95f9
Opcode Fuzzy Hash: fd12a1e624b281c0f3976e50ae86d3568babe9c96f0e25a3c2ba215f51bd6e25
Instruction Fuzzy Hash: BEA1D8B4E0020ACFCF14DFA8F988A9DBBB1FB89314B504169E415AB355DB396D06CF91

Function 01723F78 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ede7f7d1ede7a7d95d53a555f811a3fd25a7a3594fdc4eb74e8e78a95577bec
Instruction ID: 7511d67b37b9317dd881040d71603b4631788b29f397d4278a86e0b3689dcfd0
Opcode Fuzzy Hash: 6ede7f7d1ede7a7d95d53a555f811a3fd25a7a3594fdc4eb74e8e78a95577bec
Instruction Fuzzy Hash: 2451C374E00618DFDB54DFA9D884A9DFBF2BF89310F108469E816AB354DB349946CF50

Function 01723168 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a584cd60aadb52abebfc81943785dfcb8343a7ad514dd79b60b699d410be4674
Instruction ID: 4b6b6e216842157ab33e67149023d7547b9b91ca45176c79ea7535dbbde4dab5
Opcode Fuzzy Hash: a584cd60aadb52abebfc81943785dfcb8343a7ad514dd79b60b699d410be4674
Instruction Fuzzy Hash: 6841A0B4E01218CFDB18DFAAD88499DBBF2BF89310F648129E415BB364DB359846CF14

Function 01729249 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85ff73f3a274f743a7d1835b7604782c631e537a9c24855ca7b47687e53681d
Instruction ID: cc3e8f5a108bacbeeef7ae060d23f6c0029898f8731e995a0a90b18a3cc27997
Opcode Fuzzy Hash: e85ff73f3a274f743a7d1835b7604782c631e537a9c24855ca7b47687e53681d
Instruction Fuzzy Hash: 3131BE7003624ACFD200EB61F5AE23A7FA5FB8F357B44ED01F11E818558F354548ABA1

Function 0172B869 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbb997bbf5e6dfcf8460ec412d0b72509a01e8f11b38105905ecd3a19d6ffd56
Instruction ID: 5d560bd8c36083ec48cbfff184349ac9f9a50215cf3a2fb7f5174027b76fd3a8
Opcode Fuzzy Hash: cbb997bbf5e6dfcf8460ec412d0b72509a01e8f11b38105905ecd3a19d6ffd56
Instruction Fuzzy Hash: 7C313935B002198FDB55EFA8C484E9DBBB6FF88220F195444E505AF361CB75EC86CB91

Function 0172B89D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c432870f5b653acee9e67654f7db9574a8de6325d32292f3eb271a69e23bbe7
Instruction ID: b3b34c4ea9834df61bc40018bc31743ba7dae3cee7f52014b4f91b075ca98665
Opcode Fuzzy Hash: 9c432870f5b653acee9e67654f7db9574a8de6325d32292f3eb271a69e23bbe7
Instruction Fuzzy Hash: 74313A35B002198FDB55EFA8C484E9DBBB6FF88220F195454E501AF361CB75EC86CB91

Function 0172BDE8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e92efe4e822c5d8f7d780c03f9039d0a79eef1d03924b6634c9e4bd4d7dcaf
Instruction ID: 3b29e6b8e37d8f1e87a375c20006e4c4035c6d5f6ebd29f631d320b7f35431c4
Opcode Fuzzy Hash: 90e92efe4e822c5d8f7d780c03f9039d0a79eef1d03924b6634c9e4bd4d7dcaf
Instruction Fuzzy Hash: F1217E34B04205DFD708EF69D954A6DBBB6FFC9210F24806AD60A9B3A5CF319D02CB90

Function 0154D006 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2462467597.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_154d000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33667804b70c5f46833dd92eadb8f94bb4d2d3066e442c953838d54f26f6ce9a
Instruction ID: cceeb5a25259797234e353daa382b1dff57c7c722734909cc5c95f903b32c337
Opcode Fuzzy Hash: 33667804b70c5f46833dd92eadb8f94bb4d2d3066e442c953838d54f26f6ce9a
Instruction Fuzzy Hash: 653189755093C48FCB13CB64C890705BF71AB46218F29C5DBD9888F2A3D23A980ACB62

Function 017218C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7384b6e92fc5d4b62fa7366bd12f892e4610b19538380042f1cf69e0f71bb9ef
Instruction ID: 18cf887f8c78e176f6aef9378b8fafd18ea322cb1fb9af5c350c5febae5043cd
Opcode Fuzzy Hash: 7384b6e92fc5d4b62fa7366bd12f892e4610b19538380042f1cf69e0f71bb9ef
Instruction Fuzzy Hash: 6B219235B00154AFCF24DF3CD8909AEBBB5EB89360B508159D959AB340DB35EE07CB91

Function 0172BC28 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e7bcd23ef015ae1162fd1e5ee914b95931d03f63c64c7dd2b7892f0453107c
Instruction ID: 1bb8a6a343793674ef30ecb7f03c3fb2e7a55146e8bb7eab0b089a0a57530ed6
Opcode Fuzzy Hash: f7e7bcd23ef015ae1162fd1e5ee914b95931d03f63c64c7dd2b7892f0453107c
Instruction Fuzzy Hash: 342105357083554FCB16A7B8A82966D7FA5EF86241F1944FAD649CB792DC34DC028390

Function 0154D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2462467597.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_154d000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ba6bd737cc3e284a0ce9ed9073cdcf9b74110f6496def391767b505dee0216
Instruction ID: 016fae32229ea47a3aaa013c7a83b129ab3daaf78813e77b20cefb0db9c7e3c1
Opcode Fuzzy Hash: 02ba6bd737cc3e284a0ce9ed9073cdcf9b74110f6496def391767b505dee0216
Instruction Fuzzy Hash: C4210071604204DFDB15DF94D980B26BBB1FB94318F20C96DE90E0F292D33AD447CA62

Function 0172BD01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 440dd344a46ca0a41eed98c96be1a1c94b247a31c37f6602136639fd87c570c0
Instruction ID: 86cc57f9857f80b53e39e5305e88e6a677d8c18571f12f3441918062c0314290
Opcode Fuzzy Hash: 440dd344a46ca0a41eed98c96be1a1c94b247a31c37f6602136639fd87c570c0
Instruction Fuzzy Hash: 80216F71A04209EFDB44EFB9D855AAEBBF6FF88300F104069E109DB255DE309E02CB90

Function 01720EC8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f647c051e059023cab6ef0101e38361526424db203b9b624335b6e54a1c4e46
Instruction ID: df07b5b8ea14072daaf2085b5c0b51a60bbaad7e77d2d59bbbf512afa41b6ea0
Opcode Fuzzy Hash: 6f647c051e059023cab6ef0101e38361526424db203b9b624335b6e54a1c4e46
Instruction Fuzzy Hash: 40216A74E442599FDB44EFA8D444BAEBBB2FFC9304F0084A9D4145B344CB788946CF51

Function 017217B8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 956faf20eb79c042a071cd78267e12de4669af93052ffee48e34440541a18eca
Instruction ID: 278a09066bb7fb97ecb8f5b7adea981ec3a91929640dc9d14667c4ca4ac708f4
Opcode Fuzzy Hash: 956faf20eb79c042a071cd78267e12de4669af93052ffee48e34440541a18eca
Instruction Fuzzy Hash: C6212570D0924A8FCB15DFA8D8945EEBFF0FF4A314F0041AAD405B7225E7304A85CBA1

Function 0172BB48 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcaaa9f8dd03fabf9d2fb55f496df60c8e1753176072f887301dac8faeb3390b
Instruction ID: 83709ff1d2a66541ef98586d87eff03464934b9dba7c7b2ddfbb274db26cf808
Opcode Fuzzy Hash: bcaaa9f8dd03fabf9d2fb55f496df60c8e1753176072f887301dac8faeb3390b
Instruction Fuzzy Hash: DF114C36700214CFD724DB69D994E66B7F6FF98721B118079E24A8F365CA71EC02CB50

Function 01724850 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aa16a47ecc718b32f6a0eee437ec4e48ac05547e88d9661fa09ef84a6a7b275
Instruction ID: 2961b4b36961c9e2744cea85bdb542560e3b31f7eaeddd3dfadcd28e17a87c32
Opcode Fuzzy Hash: 3aa16a47ecc718b32f6a0eee437ec4e48ac05547e88d9661fa09ef84a6a7b275
Instruction Fuzzy Hash: 4001DA32F003144FDB38AEB9885462EAAEAAFC5221310813ED906CB255EEB0C8028B50

Function 01724860 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a6c5ded621e96064ad439cbd0991071a3f14b3ce889764d34e51cbe21c8eb38
Instruction ID: 6014067c15ed9f0e0961ec4c6e01cda713b537bf4b8ecbbe0bfd81635d57ae8d
Opcode Fuzzy Hash: 5a6c5ded621e96064ad439cbd0991071a3f14b3ce889764d34e51cbe21c8eb38
Instruction Fuzzy Hash: FF016232F042145BD734AFBD885462EBAEBAFC4665314453ED906C7755FEB0CC028791

Function 0172BB37 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88289142efe1021591855aced41daa2f8464edf7e8ba43730fb866df7f390fc4
Instruction ID: 9ddf7ceda5f5b24dc82618e138760df2643b8d409735beb0f47302fc02c016da
Opcode Fuzzy Hash: 88289142efe1021591855aced41daa2f8464edf7e8ba43730fb866df7f390fc4
Instruction Fuzzy Hash: 82016935700210CFD725DF69D998B66B7E5FF88721F1580B9E1498F365CA70E842CB11

Function 0172A508 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0d4914275e478285bdd4f87ee7ade373be030bd361cc67f6a767a4962ebda2b
Instruction ID: 6d29913c9471e75dda96278c2cfcac7fd3830ecd88acb9c3288b564e9f67f137
Opcode Fuzzy Hash: e0d4914275e478285bdd4f87ee7ade373be030bd361cc67f6a767a4962ebda2b
Instruction Fuzzy Hash: D4018C71A002199FCB14DFA9E8499AE7FB9EB88310F10802AF91A93240DB309D11DBA1

Function 0172A4F9 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5049e7ca934858a27d8be6f755f1a420cb3f9b640f6ff6e8e6c7f0a842bb5c9
Instruction ID: a6519ae4367b203c99460335ce0db1ffabddd26519e66eca876f19cb5620fb84
Opcode Fuzzy Hash: e5049e7ca934858a27d8be6f755f1a420cb3f9b640f6ff6e8e6c7f0a842bb5c9
Instruction Fuzzy Hash: E8018F75E001199FCB10DFA9E848AAF7FB5FB88310F10812AF919D3640DB308D11DBA1

Function 0172BEF8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad5bb56df9e8af059dd2fc9cd326655a45a3d73466f2f993e366eefa0991eea7
Instruction ID: cb25277550fbb511f21a5bd0c390449db2ff3073481c60372a1dfda3d6a8c78d
Opcode Fuzzy Hash: ad5bb56df9e8af059dd2fc9cd326655a45a3d73466f2f993e366eefa0991eea7
Instruction Fuzzy Hash: E8F04C313183549BC7155BB4A80962D3F96EBCA711F14446AF60AC7381DE36CC02D781

Function 0172BD78 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f11dfe33fd3dafe2edb93638a550b70e26cf6138ca847c3c089b04b9576603e2
Instruction ID: c72147a1638a378b848fa7ae30722028a69487228228b6a9e952d453fbda52e2
Opcode Fuzzy Hash: f11dfe33fd3dafe2edb93638a550b70e26cf6138ca847c3c089b04b9576603e2
Instruction Fuzzy Hash: F6F04972A00118AFCB40EFA9D8449BFBBF9EF89210B00406AF619D7211DA3099128BA0

Function 0172C1B0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a2955ae5e45b09b6dca99cf8440c2f4075190862d74e020437619895f8d7b8
Instruction ID: e4c9a22466c36fc9a1fa50bb37d74488214566174115aeeb5c7c941907853123
Opcode Fuzzy Hash: 99a2955ae5e45b09b6dca99cf8440c2f4075190862d74e020437619895f8d7b8
Instruction Fuzzy Hash: 76F0A072B046259BCB1A966EE42596EFBAEEFC5631714407AE509DB390CE32DC038790

Function 0172B9EB Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455a0c86c8bb85daed62a8eb55824b72b1d9a35e8f2d01e5de3a06b2371561d2
Instruction ID: 55e74030ee96abe6aaab36d53018271492a871d74abf0bc2edd385c53aa8667c
Opcode Fuzzy Hash: 455a0c86c8bb85daed62a8eb55824b72b1d9a35e8f2d01e5de3a06b2371561d2
Instruction Fuzzy Hash: 57F0B479E002089F8B50DFA9D845A9FF7F5FF88250704413AD505E3601E77499068BE1

Function 0172B9F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eded07ece99769e1a04911bf679ce35aa37f69a685dd0baee21c7e9734d205bf
Instruction ID: 72d3e34555554fe0185ff6f1c9afad95ee074cb32a0d8422b13875162e3e180a
Opcode Fuzzy Hash: eded07ece99769e1a04911bf679ce35aa37f69a685dd0baee21c7e9734d205bf
Instruction Fuzzy Hash: 16F0A771E002189F8B60DFA9D84099FFBFAFF9C250B00413AD509D3601E7709A16DBE1

Function 017246C9 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a627e71265a6f68413aad37de2b89a62d23d4c6b720c41d0ab21632b1f33fda8
Instruction ID: fee714d2387d34905ef43ed5ae347071f7873e89dea7fa992f3e80891843149c
Opcode Fuzzy Hash: a627e71265a6f68413aad37de2b89a62d23d4c6b720c41d0ab21632b1f33fda8
Instruction Fuzzy Hash: C7F0A538475342CFE3216F24B4AC37A7B70FB0B31BB066C05E02A8A019EB300118EF54

Function 017246D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce7336f5fcde783f55777b773c134adb6c2228d2820506cdca74504ba9cf35c
Instruction ID: 8bc5099a689050e2469b64ae1f3324fcc654783b7268b0f12f86cae937afd94e
Opcode Fuzzy Hash: 7ce7336f5fcde783f55777b773c134adb6c2228d2820506cdca74504ba9cf35c
Instruction Fuzzy Hash: 0DE092380353428FE2312B24B5AC37A7A75EB0B31BB422C00E12EC9019AF70404CEB94

Function 01721877 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f27589284935bae65f0f3b8ec8ae90ee2029fa0bf898bc5283add3e18bf4c31
Instruction ID: 15f7614deaea56bb62fc704fd2fe5aaa72b46a3cc5c1367db4d67abf48b4f964
Opcode Fuzzy Hash: 5f27589284935bae65f0f3b8ec8ae90ee2029fa0bf898bc5283add3e18bf4c31
Instruction Fuzzy Hash: 60E04F36D242654BCB119BA898106FEBB74AF92320F544267D46437141EB70156BCAA0

Function 01721888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 096cdb5ee895eb513d2eb3bec8fb06e6046f2cee208159cd2d64c0e48339401b
Instruction ID: ee16be36feb218d148707ccc4d7b5a8a4dd55e02ab04a042230d39d4202e75ee
Opcode Fuzzy Hash: 096cdb5ee895eb513d2eb3bec8fb06e6046f2cee208159cd2d64c0e48339401b
Instruction Fuzzy Hash: F6D05B31D2022A57CB10E7A5DC048DFFB38EED5321B514666D51437140FB702659C6F1

Function 01724831 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2463949234.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1720000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3edcb87b35ee23f5536fc2ab61079735732371d644f2392c480d89b82c8fcc9
Instruction ID: f6a24adc3f04f4f07e0b7a530247182f2429287390c12e87f7f5071e92ca788d
Opcode Fuzzy Hash: b3edcb87b35ee23f5536fc2ab61079735732371d644f2392c480d89b82c8fcc9
Instruction Fuzzy Hash: 50C08CB140D3C04FCF138B28CC620063BF0ED03601B0448DED0428700AD5149100CB02

Non-executed Functions

Function 058F8588 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2468113205.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 067eaa916e0f83dcb010bcd2fe140e01c1658f559d31019ab44cf1c1d52a9c1f
Instruction ID: e7fd87a4444e31cb02f8a9e610ce3fe2b449a479c06a510ba6dd2586cb237069
Opcode Fuzzy Hash: 067eaa916e0f83dcb010bcd2fe140e01c1658f559d31019ab44cf1c1d52a9c1f
Instruction Fuzzy Hash: 0FC1AD74E00218CFDB14DFA9D998B9DBBB2FB89300F6080A9D909AB354DB355E85CF51

Function 058F4DD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2468113205.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07542daa0d42284656bc715f6aafa2c941a972c181903e9a9f2e0f1359bcc25e
Instruction ID: 2f7cbf2e16592c060692b6b5a72375b0c96d1af67191f62a28b96371a9fd85e0
Opcode Fuzzy Hash: 07542daa0d42284656bc715f6aafa2c941a972c181903e9a9f2e0f1359bcc25e
Instruction Fuzzy Hash: 44C19E74E00218CFDB24DFA9D994B9DBBB2FB89304F6080A9D809AB354DB355E85CF51

Function 058F4520 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2468113205.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1b5e138e3bb1fd1e0392cd3fa33673b25347e7d6c0c86dc8d93e1a7f9f73941
Instruction ID: d4ad3cb58e0463b8799ee3718a86f7c57756c6c6e5468fd36263e4c731f2c87c
Opcode Fuzzy Hash: c1b5e138e3bb1fd1e0392cd3fa33673b25347e7d6c0c86dc8d93e1a7f9f73941
Instruction Fuzzy Hash: FAC19074E00218CFDB14DFA9D954B9DBBB2FB89300F5080A9D809AB365DB355E85CF51

Function 058F8130 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2468113205.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a69b696b419632e7233755695ef7269ff52a92b7039d84f50a7070892782677
Instruction ID: 7b455e5be99ec0631f713d3b5b01306ad67b5f9a93fa21c6b8b73ab01210b2d3
Opcode Fuzzy Hash: 9a69b696b419632e7233755695ef7269ff52a92b7039d84f50a7070892782677
Instruction Fuzzy Hash: 42C1AD74E00218CFDB14DFA9D994B9DBBB2FB89300F6080A9D809AB355DB359E85CF51

Function 058F4978 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2468113205.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4ab6efc4ff4a65a43baddd421486aca40d33d33cf54903a89eeaa451942890f
Instruction ID: a35bc476ecaee764ceed2b8945f44daf63425e9ec3b3f20bc1fdbb83d805183c
Opcode Fuzzy Hash: c4ab6efc4ff4a65a43baddd421486aca40d33d33cf54903a89eeaa451942890f
Instruction Fuzzy Hash: 70C1AF74E00218CFDB14DFA9D994B9DBBB2FB89300F6080AAD809AB355DB355E85CF51

Function 058F7880 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2468113205.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3941a4d69f4fcde18cd6a6a2a4cf81b920e0822fcc4132436508f84b690653b8
Instruction ID: 84f7b712b6e69e362bfea558514e4489901113946703301c16809dd0d201848f
Opcode Fuzzy Hash: 3941a4d69f4fcde18cd6a6a2a4cf81b920e0822fcc4132436508f84b690653b8
Instruction Fuzzy Hash: 21C1BE74E00218CFEB14DFA9D994B9DBBB2FB89300F6080A9D809AB355DB355E85CF51

Function 058FF8B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2468113205.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69ba559c877766d14ff27a968fac6e7706e6fd568dcdf7fd120e0c8edded9fd8
Instruction ID: 9f124c782044695bf6d05b76e62612552ad9f3686278374b7dfe22efac5df7f2
Opcode Fuzzy Hash: 69ba559c877766d14ff27a968fac6e7706e6fd568dcdf7fd120e0c8edded9fd8
Instruction Fuzzy Hash: C6C1AD74E00218CFDB14DFA9C994B9DBBB2EF89304F6080A9D909AB354DB355E85CF51

Function 058F7CD8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2468113205.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9686740e836678d190f566363c418d8c049adab34d3a3b7a8976fe8ec11019f
Instruction ID: 9c27289ff75086cf01752a140b36790dc12cdd3ff1b0a30a650d7eb12a1799f6
Opcode Fuzzy Hash: b9686740e836678d190f566363c418d8c049adab34d3a3b7a8976fe8ec11019f
Instruction Fuzzy Hash: 13C1AE74E00218CFDB14DFA9D994B9DBBB2FB89300F6080A9D909AB354DB355E85CF51

Function 058FF000 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2468113205.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a172bfb9ed6bf06ddc7e6b9610af3afcd1831f8f0b9c9b74c110093d9c42ff29
Instruction ID: 9fd492a3aa0881825dc4a4706001ecae621e7a281138c7bd862acdb69e6b49e5
Opcode Fuzzy Hash: a172bfb9ed6bf06ddc7e6b9610af3afcd1831f8f0b9c9b74c110093d9c42ff29
Instruction Fuzzy Hash: 41C1AC74E00218CFDB14DFA9D994B9DBBB2EB89300F6080A9D909AB354DB359E85CF51

Function 058F7428 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2468113205.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7955700eb28846d73b47e385470e97f12877a2737824e3c8a7481652408edfa
Instruction ID: 23e81adfdedba95d92233049de02cb430d886f0b012e23a71676c519781c51e1
Opcode Fuzzy Hash: d7955700eb28846d73b47e385470e97f12877a2737824e3c8a7481652408edfa
Instruction Fuzzy Hash: 99C1BD74E00218CFEB14DFA9D994B9DBBB2FB89300F6080A9D909AB354DB355E85CF51

Function 058FF458 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2468113205.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b0d4d327f5174dee336d387ed8aa29d2f30af6bb9dc8fdf615bbbbf65616df
Instruction ID: 018e91a55f13b693f825772e37ae1aa37b9b609e8479be2e0bd986edb9913978
Opcode Fuzzy Hash: 20b0d4d327f5174dee336d387ed8aa29d2f30af6bb9dc8fdf615bbbbf65616df
Instruction Fuzzy Hash: 9DC1BD74E00218CFDB14DFA9D984B9DBBB2EF89300F6080A9D909AB354DB359E85CF51

Function 058FEBA8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2468113205.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86445af38c37342df680b5b8ff5f757abe00b7d72c32487c236321238be2f876
Instruction ID: 0475c0392ddc431f9b65efb655a975b047e68dd53fa814092f17a16b6e810b1f
Opcode Fuzzy Hash: 86445af38c37342df680b5b8ff5f757abe00b7d72c32487c236321238be2f876
Instruction Fuzzy Hash: 09C1AE74E00218CFDB54DFA9D994B9DBBB2FB89300F6080A9D809AB364DB355E85CF51

Function 058F6FD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2468113205.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d2fa6dff2970db91207d5ba6b0e92288fe6cda409e4680d25a0876497bf0ba
Instruction ID: 9e7e5270a181e3d707bd1f6d05ded05d41cf096008664c6900bd3441948ec2bc
Opcode Fuzzy Hash: 17d2fa6dff2970db91207d5ba6b0e92288fe6cda409e4680d25a0876497bf0ba
Instruction Fuzzy Hash: D0C1AD74E00218CFEB14DFA9D994B9DBBB2FB89300F6080A9D809AB354DB355E85CF51

Function 058FE750 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2468113205.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0233cfc2e629e7da7dd5872ecd261fc201006fa3ecee7b79a77b203137cefe
Instruction ID: 6217c579aaeb70a2f9cbaf0cd95d5e204f4f5115e13d0335fa4e08222d2f33f8
Opcode Fuzzy Hash: 1d0233cfc2e629e7da7dd5872ecd261fc201006fa3ecee7b79a77b203137cefe
Instruction Fuzzy Hash: C1C1BE74E01218CFDB54DFA9D984B9DBBB2FB89300F6080A9D809AB354DB355E85CF51

Function 058F5680 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2468113205.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4529e25ef59d8cf286cc5c0615df48b4ebf61d7c87469cffb92c1b1f3853f365
Instruction ID: b3616e7ed7e50e578d4b9e3950e7e6d9f9ce563b7665f47fb5abd81c4ea24a6b
Opcode Fuzzy Hash: 4529e25ef59d8cf286cc5c0615df48b4ebf61d7c87469cffb92c1b1f3853f365
Instruction Fuzzy Hash: 44C19D74E00218CFDB24DFA9D994B9DBBB2FB89300F6080A9D809AB354DB355E85CF51

Function 058FE2F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2468113205.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a4a325f5e4eca1d7aacd93fcd85751f7f55378a71d87eeb9f49fe8711d1b7d
Instruction ID: 3bbac2234907181f3f8aeb657b24b993d8325871854bf91347406c23c58ec4c5
Opcode Fuzzy Hash: 64a4a325f5e4eca1d7aacd93fcd85751f7f55378a71d87eeb9f49fe8711d1b7d
Instruction Fuzzy Hash: 21C1AE74E00218CFDB54DFA9C994B9DBBB2FB89300F6080A9D909AB364DB355E85CF51

Function 058F5228 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2468113205.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_HALKBANK EKSTRE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a7d08c3c8baa966c0b953b96c666641b30a5645dd1e0c7e95d2e8bb21503a6d
Instruction ID: dc30729fea79903864e0b9d8d33c1f8d6ecdb5ca6a274dab177720274b2970fd
Opcode Fuzzy Hash: 2a7d08c3c8baa966c0b953b96c666641b30a5645dd1e0c7e95d2e8bb21503a6d
Instruction Fuzzy Hash: EEC1AD74E00218CFDB24DFA9D994B9DBBB2FB89300F6080A9D809AB355DB355E85CF51

Analysis Process: gaOQxNyy.exePID: 7180, Parent PID: 932COMMON

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	138
Total number of Limit Nodes:	16

Executed Functions

Function 078F0E78 Relevance: 1.9, Strings: 1, Instructions: 640
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

W, xrefs: 078F10AD

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: 8509e2fe9e8225658f353a73dba788a28657f8d3ece87c59b14905ebe6cf8516
Instruction ID: 138bc8a19d2e89a31b764469b3a2edae199671d5632f2e951c4d0967232d00e8
Opcode Fuzzy Hash: 8509e2fe9e8225658f353a73dba788a28657f8d3ece87c59b14905ebe6cf8516
Instruction Fuzzy Hash: E4425AB0A00345CFDB19DF68D488AAABBF6BF99300F158469D506DB7A1DB35EC41CB90

Function 07585FD8 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1321540992.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7580000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff29dcb6f476d973a6c82a35039623386e71a693e235dd7e12c94c8122a94f2
Instruction ID: 19527ee547ac81f59f3fc3a598e157ff8da2c14ec06682a1edd60febbf742102
Opcode Fuzzy Hash: 8ff29dcb6f476d973a6c82a35039623386e71a693e235dd7e12c94c8122a94f2
Instruction Fuzzy Hash: A2126FB4B002058FDB54EF68D494AAEB7F6FF88710B158569D906EB365DB31DC02CB90

Function 078F0710 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcd5ac9a96fa5bca0e400b228b34acbe7d78a2c502615c1fcc918fa59cdc2c1
Instruction ID: 76e25d079d84271e89b96980f5737891c1d7c40f6dcf4995e21957a5b6d1d134
Opcode Fuzzy Hash: 6bcd5ac9a96fa5bca0e400b228b34acbe7d78a2c502615c1fcc918fa59cdc2c1
Instruction Fuzzy Hash: B91259B4A00245CFD714DF68D584AAABBF2FF98300B19C599E509DB762D730ED42CBA0

Function 07581F30 Relevance: 9.5, Strings: 5, Instructions: 3211
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H;^t, xrefs: 075847F0
:^t, xrefs: 07584B64
Ld^t, xrefs: 07584851
(:^t, xrefs: 07584A36
09^t, xrefs: 07584913

Memory Dump Source

Source File: 0000000D.00000002.1321540992.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7580000_gaOQxNyy.jbxd

Similarity

API ID:
String ID: (:^t$09^t$H;^t$Ld^t$:^t
API String ID: 0-3972638153
Opcode ID: e00675140d4270a20fca4b4deb8228238cd441333ff02cf9987455f80c5735a2
Instruction ID: 657a97eea736f5199cb7c9219ae19fb07720d6207e0fe146b2c1109d8b2b2c9c
Opcode Fuzzy Hash: e00675140d4270a20fca4b4deb8228238cd441333ff02cf9987455f80c5735a2
Instruction Fuzzy Hash: 5C63ADB0E40318AFEB219B51CC50BEEB7B6FF89300F100099E2496B6D0EA765E95DF55

Function 078F0CBA Relevance: 2.6, Strings: 2, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

W, xrefs: 078F0CC5
@, xrefs: 078F0CFA

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID: @$W
API String ID: 0-2335994147
Opcode ID: 4cb5a4c478728d62cfd6618c3e4c89a4aa5174b2fa78ced75c683fde013cd8b8
Instruction ID: 0fc86d412d0497b4a5e315bda241c9f7188f6219028683104007b60b8f77a4fb
Opcode Fuzzy Hash: 4cb5a4c478728d62cfd6618c3e4c89a4aa5174b2fa78ced75c683fde013cd8b8
Instruction Fuzzy Hash: 1121A372A0021A9FCB15CF68C880EEFBBB5BF89210F048066E604DB252D734DA55DB90

Function 078FEBB2 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

0,Wq, xrefs: 078FEC12

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID: 0,Wq
API String ID: 0-851448320
Opcode ID: 86805ee14075306d4ad0f76a15fc7195583c956994afc4d42afbf5e462645bbc
Instruction ID: 5f79dc4968533e7d52493abcb759a6f05f11295f79c970b0f46840b9728c969d
Opcode Fuzzy Hash: 86805ee14075306d4ad0f76a15fc7195583c956994afc4d42afbf5e462645bbc
Instruction Fuzzy Hash: AC519131F002189FD700BF78E849B9E7BB2EF88700F1588A9D9819B296DF756D49C781

Function 078FEBC0 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

0,Wq, xrefs: 078FEC12

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID: 0,Wq
API String ID: 0-851448320
Opcode ID: 4d3ec30e202c777b697ac696e2b76a3a181da5871c9e55a617d8cf6d365310fb
Instruction ID: ef86d0ea6cef5c601938e65b09d2e56e0296b7aa51f0c1f21fd68c754cec4123
Opcode Fuzzy Hash: 4d3ec30e202c777b697ac696e2b76a3a181da5871c9e55a617d8cf6d365310fb
Instruction Fuzzy Hash: 56519031F002189FD704BF78E849BAE7BB2EF88300F1584A9D9859B396DF756D498781

Function 078F0CC8 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

@, xrefs: 078F0E30

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 0e3ac1f6000199ca533643f91518b41ae52dd83938b644bc530887244b2ffe99
Instruction ID: c48cc777a8c311b37711e0cde3dd1344cf592328c36ffc972674f8e2da369612
Opcode Fuzzy Hash: 0e3ac1f6000199ca533643f91518b41ae52dd83938b644bc530887244b2ffe99
Instruction Fuzzy Hash: 265195B5A0020A9FDB15DF64C884AEEBBF5FF58310F14806AE905EB252D730DD55CB90

Function 078F18A8 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

W, xrefs: 078F18B5

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: a44d9e06f5bedbc3eead0f078e88535a94b1ba78ec33577c6ec82c249b9ff45d
Instruction ID: 2e7876449a02998296f47257a09c7c5fb8c12576409b74b0f057cc8d4aa6e9fa
Opcode Fuzzy Hash: a44d9e06f5bedbc3eead0f078e88535a94b1ba78ec33577c6ec82c249b9ff45d
Instruction Fuzzy Hash: 3A118B76B0021ADFCB059B64F9088EFBBF6FB98215B10456AE605D6251D6358A06CBA0

Function 078F24C0 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8f1d753ccb8c3b0f55fd0a3c5a7a2dbfc56ea1e4027a3d8d01e7f28764d98c7
Instruction ID: 0f5039dfa4eb239b7fc5e805e73569420988bcf46555477803094751b9562d6e
Opcode Fuzzy Hash: c8f1d753ccb8c3b0f55fd0a3c5a7a2dbfc56ea1e4027a3d8d01e7f28764d98c7
Instruction Fuzzy Hash: 5E4236B4A00209DFCB14CF68C584AAEBBF2BF58310F558599E909EB361DB34ED45CB90

Function 078F0040 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0172d1ae58358986a1a151c4cc43b5362a8b01d230de92f048674d7f7a4c5350
Instruction ID: 79ca952835ba3d6b5042ac9d88653ecbc0efa7658ff7b67f7ae3c92c619e2cec
Opcode Fuzzy Hash: 0172d1ae58358986a1a151c4cc43b5362a8b01d230de92f048674d7f7a4c5350
Instruction Fuzzy Hash: 1122E0B1A042458FDB11CF68C980AAEBBF6FF95310F19859AD945DB653C730EC85CBA0

Function 078F9890 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b60288b34ad915aeef73b22bc8e00ed3699f429d3b08519b553584e42b6a603
Instruction ID: 1e2cf7b30fd8aa7db1c346d0c436721f1fee146fc6529541bfcb2c68adf0a8ab
Opcode Fuzzy Hash: 0b60288b34ad915aeef73b22bc8e00ed3699f429d3b08519b553584e42b6a603
Instruction Fuzzy Hash: 172235B4E01219DFDB15CFA8D484A9DBBB2AF99314F248159E904EB365C730ED82CB90

Function 078F3B30 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5630b603f7b0785d019db756b0b06edd59ceca8de8ae2c74186f49de3f5b0b69
Instruction ID: 7390ff2cf64a6eb4d1a49e368d84da90d5d28166cd4e52fdc3b0e2763deeb7d8
Opcode Fuzzy Hash: 5630b603f7b0785d019db756b0b06edd59ceca8de8ae2c74186f49de3f5b0b69
Instruction Fuzzy Hash: 2EE158B0E002099FDB15CF68D484AAEBBB2FF99314F248159E945EBB51C730ED46CB91

Function 078F59F8 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53be04d5c6b76972f867b515e2a65ee6005dfea7508270cc106f0d9d1398ef0f
Instruction ID: 4780564791fb312287b570879c7ea4f2c3a45ee816092ba5894559a46affbe2f
Opcode Fuzzy Hash: 53be04d5c6b76972f867b515e2a65ee6005dfea7508270cc106f0d9d1398ef0f
Instruction Fuzzy Hash: 83D1AEB0B01206DFDB14DFA9D484AAEBBF2BF99210F14846AE505DB355DB34DD42CBA0

Function 078F54D0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a073ce85e692556b9aae452f013fb82cd19f2c04a8da1ae0360cbdc02b799c
Instruction ID: e07150c4635bef0a272936fe6e80acd2ec7adc373337e2788ef4dce84023277a
Opcode Fuzzy Hash: 52a073ce85e692556b9aae452f013fb82cd19f2c04a8da1ae0360cbdc02b799c
Instruction Fuzzy Hash: F5C16BB5A10219EFDB15CF98D484A9EBBB2FF88314F248159E904EB351C735ED92CB90

Function 078F6D80 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0449567570805768e8c247a3a1f5f8f6813f74c208d46e3c079f62c580e61a4
Instruction ID: e820e5d972c58b643e12f03767e4007d54fdb8702214e3ecebb9bbd4f914228e
Opcode Fuzzy Hash: a0449567570805768e8c247a3a1f5f8f6813f74c208d46e3c079f62c580e61a4
Instruction Fuzzy Hash: C3B12874A00219EFDB15CF98D884A9DBBB2FF99314F288159E904EB355D731ED82CB90

Function 078F3698 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5151925d2d9a1baea970465a7566154347876ecfd0664bc7aaecfd1252bbdcff
Instruction ID: 9610a4289ae823ad97cd91bf698a167f7458817572a7ab8d71c5fceb776c58ef
Opcode Fuzzy Hash: 5151925d2d9a1baea970465a7566154347876ecfd0664bc7aaecfd1252bbdcff
Instruction Fuzzy Hash: A7B149B4A10219EFDB15CFA8D484A9DBBB2FF89310F248159E904EB755C735ED82CB90

Function 078FAAB8 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610a8760ff2db2885f971015d8ca6686375c1f2de0f6e2aa99b658c1d0bc15ef
Instruction ID: 34044ee66ed373ea842f8a032ea9ffd82e3375d47343a4a2b04860c6f7473a71
Opcode Fuzzy Hash: 610a8760ff2db2885f971015d8ca6686375c1f2de0f6e2aa99b658c1d0bc15ef
Instruction Fuzzy Hash: D691F2B5A0020A9FCB15CFA8C984AEEB7F6FF49320F148569E929D7350E730E950CB51

Function 078F4988 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a4698d1acd2d58ec8de8465d8fe14d28cad8d9eef86c09777226c03985839b
Instruction ID: 41e755ae8772afa95135a40d76e0a18d8581ddeb9f7fdc4922b86c42957cd893
Opcode Fuzzy Hash: 78a4698d1acd2d58ec8de8465d8fe14d28cad8d9eef86c09777226c03985839b
Instruction Fuzzy Hash: 2A717AB4A002059FDB14DF69D484A9EBBF2FF98300F14856AE909DB361DB31ED46CB90

Function 078F38B9 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc7e9a8384508836e572b38baaed177f24fcb3cd0734513c4e6e875ef3c5051
Instruction ID: 625c467a71ad9444644b9934e1235e67f72c91415a93ca8af4d09067434f3f8d
Opcode Fuzzy Hash: 3dc7e9a8384508836e572b38baaed177f24fcb3cd0734513c4e6e875ef3c5051
Instruction Fuzzy Hash: 0F51F9B4A00209EFDB15CF94D484A9DBBB2FF89314F24C159E405AB765CB35ED82CB90

Function 07581F1F Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1321540992.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7580000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d40278e3e0644b9e539c3287ef00f7750ceae62c18556b24642bb4f36e483724
Instruction ID: 50b9b374af13a15c54ae767d10866f68c1a26d06854bd97e4aa077d5c90863db
Opcode Fuzzy Hash: d40278e3e0644b9e539c3287ef00f7750ceae62c18556b24642bb4f36e483724
Instruction Fuzzy Hash: 17413AB0E0021A9FDB54DFA9C884AEEBBF2BF88300F148559D515AB355D735E842CBA1

Function 078F2DF0 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b9e1c3da07a6a13a918899c6cb9152fa8fb36c0c81dcac7e0700d0cbf4c7066
Instruction ID: 5abd374a299a410b9cab81d40ed06f618ce7ddee334ac57233a3e55c42611316
Opcode Fuzzy Hash: 6b9e1c3da07a6a13a918899c6cb9152fa8fb36c0c81dcac7e0700d0cbf4c7066
Instruction Fuzzy Hash: 584126B4310640CFC728DF69D484E2AB7EAFF99214B2545A9E646CB772CB31EC81CB50

Function 078F56E7 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de78528cb6cf713db2bebf7ddaa77b2a6960c63869adca89f709e6cbc108bba
Instruction ID: b24a6c69d6a5cc978e455e0782ef7233a4a6a295bc6ffe1fe4beb2e972d39bdd
Opcode Fuzzy Hash: 9de78528cb6cf713db2bebf7ddaa77b2a6960c63869adca89f709e6cbc108bba
Instruction Fuzzy Hash: F551F874A01209EFDB15CFA8C484A9DFBB2FF98314F288159E405AB365C735ED92CB90

Function 078F6F97 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ecd7fd3f36104c81274eabd13b85228f3fb49778482e579e5ef95caf1f3bc3a
Instruction ID: 9efbe48e95e278e4755e73b65845beedabfde38152ef7a5d01c5e7dbd4db9f9a
Opcode Fuzzy Hash: 6ecd7fd3f36104c81274eabd13b85228f3fb49778482e579e5ef95caf1f3bc3a
Instruction Fuzzy Hash: D151E874A00209EFDB15CF98D884A9DBBF2FF98314F688559E405AB365C736AD82CF50

Function 078F82B0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 066f8ebcb7bfe52e3c81d69f61d726245906d7acbf05e3d7d1c370fdb5914917
Instruction ID: 56f94e0bc2428270a1868573b2706ba2b4f2555040c91e4e6e3451f8a9614671
Opcode Fuzzy Hash: 066f8ebcb7bfe52e3c81d69f61d726245906d7acbf05e3d7d1c370fdb5914917
Instruction Fuzzy Hash: 0031B2B1B0461A8FCB18DF75D9545BE7BF6FF89200B50416AD50ADB2A1EF30DC058B92

Function 078FEDF6 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a360221bb2f4748007b5d1a4fab78c6915bbe31297f645c4a868e8bac85146
Instruction ID: 1e4647ac45a71c47bfd9d27e0644838483433a9cc0a547481e97124ca2027c27
Opcode Fuzzy Hash: e3a360221bb2f4748007b5d1a4fab78c6915bbe31297f645c4a868e8bac85146
Instruction Fuzzy Hash: 9B41B271A0A391CFC7125FB4A8591697FB1EF8621171845E7E982CB2A2EB388C45C761

Function 078FEF62 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 954a2f8d7a3444e3570a7d062446da08d52e6947901a47f6a2c1a97d87c5c3bf
Instruction ID: e63f591bcfd545f4aee3ebb3f4eb1665e27d6e13cb2b8fbad58a8a3e80a0ddeb
Opcode Fuzzy Hash: 954a2f8d7a3444e3570a7d062446da08d52e6947901a47f6a2c1a97d87c5c3bf
Instruction Fuzzy Hash: 2231DE71A15111CFDB145FB8E85923D7FB2EB99211B4485A6EA03CB3A4EF38CC42C761

Function 078F3D3B Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1fd1e799527ec6f2761261f3665233a60a7e4a1975f0b2cd356dc9d811c5699
Instruction ID: d6bf8dd7046aa100bd88c8aa8d63d6c15da84c0f4bf64238c4dc592147d396b4
Opcode Fuzzy Hash: b1fd1e799527ec6f2761261f3665233a60a7e4a1975f0b2cd356dc9d811c5699
Instruction Fuzzy Hash: D641D174E01209EFDB05DFA8D584A9DFBB2AF88314F24C159E404AB765CB35ED86CB90

Function 078F9A9B Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 914af0b6d2fe038212f118f0193ddf7a74be55b9704d7fc07eced49c4349cfef
Instruction ID: 348464523be82a935e6510d2aa5faf10e8ef20d0f0e25d5ed6468f21e385d018
Opcode Fuzzy Hash: 914af0b6d2fe038212f118f0193ddf7a74be55b9704d7fc07eced49c4349cfef
Instruction Fuzzy Hash: 1541D474E01209DFDB19CFA8D584A9DFBB2AF88304F24C158E404AB365CB35AD82CB80

Function 078F59E8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b40de88a08c6d95e4bce3c07dfbf4fa08eef7653219f80bc9caff2491a8d6ff2
Instruction ID: ac7a87def87afaac9396fb5a424036694ca0af8b5671fbb0d86a7b328ed1809e
Opcode Fuzzy Hash: b40de88a08c6d95e4bce3c07dfbf4fa08eef7653219f80bc9caff2491a8d6ff2
Instruction Fuzzy Hash: 50316DB1B01216DFCF05DF69C8806AEBBB6AF89300F1484A9D909EB295D735DC51CBA0

Function 078FD6F8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c8e105c3cc5cc06ff519d001f9632d7012eb1ff08bffaf953af5af3f90dc58
Instruction ID: 309356f6021b9ce36724e1d6fdd2e0763528ae50e8967f5b512fdd61cc28c79b
Opcode Fuzzy Hash: 95c8e105c3cc5cc06ff519d001f9632d7012eb1ff08bffaf953af5af3f90dc58
Instruction Fuzzy Hash: 20410574E00218DFDB15DFA5C854AEEBBF2FF88300F10806AE405A7360DB359946DB94

Function 078F4548 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c925b8231dfe5da2769523be4044f62cdace0e046385a9c6f56683fc598acc99
Instruction ID: 4b8f39d47cb0d739c385e6d2b46df5781f22d6c977bfa607f40f871b601f2f8b
Opcode Fuzzy Hash: c925b8231dfe5da2769523be4044f62cdace0e046385a9c6f56683fc598acc99
Instruction Fuzzy Hash: 6121C4717003415FDB249B69E444A57FBE6EFC9224B14847AE60DC7751CA31EC46C750

Function 078FD708 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f45fe37ec00c1c77e75a6847fe091e62cc9b6ff903bdf0d67cef42a4b5db589c
Instruction ID: 2fe6d10ea41a84ea40ecaf40c60ef6c2ab4c3ec7d816e599864c15be091b031b
Opcode Fuzzy Hash: f45fe37ec00c1c77e75a6847fe091e62cc9b6ff903bdf0d67cef42a4b5db589c
Instruction Fuzzy Hash: A331C674E00219DFDB15DFA5C854AEEFBB6FF88300F10806AD405A7360DB359942DB94

Function 078FA609 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9d3d614a6fc9d9b17303774c0a17c3c281ea2057eb31624f615aa9cb9671e6b
Instruction ID: 7b0c1e115eb5d23dbb6aff4956eb4692980456da92690fc5e35591718bdee6a0
Opcode Fuzzy Hash: a9d3d614a6fc9d9b17303774c0a17c3c281ea2057eb31624f615aa9cb9671e6b
Instruction Fuzzy Hash: 57216AB67106008FEB28CF64C88157E77E6EFD4260B28C06AD646D7765DB38ED40C762

Function 078F7DB0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44e8cb2af8946d52efc528f29ba1849640570a5c9ff80404f6efddde9b164cd2
Instruction ID: e7054fa8aeb4a72daab573915c4ec167d980422c28877587ab1f3f855c648753
Opcode Fuzzy Hash: 44e8cb2af8946d52efc528f29ba1849640570a5c9ff80404f6efddde9b164cd2
Instruction Fuzzy Hash: 0421B275B002159FD745EB69E8405EEB7B2FFC5221B40812BD904DB260DB349D1987A2

Function 078F82A2 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab13fbdd5dc5547be6b4a88268cf04ba391aa5b19f2ae0dcb313d177cf8465b
Instruction ID: b9e4cb7129a2367aea0a81ad24b8a91aa7d01fe63e531f7eb86a80d9a7f2eee5
Opcode Fuzzy Hash: 2ab13fbdd5dc5547be6b4a88268cf04ba391aa5b19f2ae0dcb313d177cf8465b
Instruction Fuzzy Hash: 552191B1B0061ACFCB58EF65C9808BEBBB6FF89200B504169C506D7361EB30AD01CBD2

Function 078FA618 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 815fd78c7b320dffc681bd6024de15e58e84b237ca4d356e88e4abdf96116770
Instruction ID: 9afd270317362b2a35cb439581e361b80b9b2b9d0417db0760ec5c3d6b6f5327
Opcode Fuzzy Hash: 815fd78c7b320dffc681bd6024de15e58e84b237ca4d356e88e4abdf96116770
Instruction Fuzzy Hash: EF213B767106118FEB28CF65C88157E77E6EFD4260B28C029D606D7764DA38ED80C7A2

Function 0758CF38 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1321540992.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7580000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6143a4fedeaff2279ca0eeba7f7365a6a4a995d88a52e376d3cc0362ce0d44a
Instruction ID: b32e068e8cf8b09c7ed545ef6c060a894d6e50123cd9a7a16c162929b801a21b
Opcode Fuzzy Hash: a6143a4fedeaff2279ca0eeba7f7365a6a4a995d88a52e376d3cc0362ce0d44a
Instruction Fuzzy Hash: 04315EB1600206DFC754DF64C484AAAB7F5FF89314B1444A9E806EB361DB31ED42CB61

Function 078F0007 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f8437234afe42cdfc31f5b7e24b63bd624fb4cd014da2a31e9adcbdd176aae
Instruction ID: 35a7d38ce09667ae9904701bcd6583972b1da930e1710c440c84f8d3a75a035e
Opcode Fuzzy Hash: c9f8437234afe42cdfc31f5b7e24b63bd624fb4cd014da2a31e9adcbdd176aae
Instruction Fuzzy Hash: 2E215E751093819FC313CB28D894992BFF5EF46260B0A85D7E599CB263D334AD49CBA1

Function 078F3A40 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e80e1f79a989daf1ff0564f7d1a562f0f5fad188492a5ac9e8a7acce62ae8ca7
Instruction ID: 0aab1c0186f712addccf558addb4a240f1358d5a9cafdba3b4e30ad52b72799b
Opcode Fuzzy Hash: e80e1f79a989daf1ff0564f7d1a562f0f5fad188492a5ac9e8a7acce62ae8ca7
Instruction Fuzzy Hash: CA2128B4E0120D9FDB04DFA5D880AEEBBF5FB88310F14816AD914A7390D7359945DFA1

Function 078FF0B6 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ade784e0ba9e70de637d7620dfebbf2f4ba717988a05597827a7b3e51fd400e4
Instruction ID: dcb41c9318031c29fda00afe802ee12134676061d7bff3f5135b7ad6fce54e7a
Opcode Fuzzy Hash: ade784e0ba9e70de637d7620dfebbf2f4ba717988a05597827a7b3e51fd400e4
Instruction Fuzzy Hash: 0C21F3B1909A0ACBDB11CF68CD412BEB7B0FF92309F188527E7A6D6181D378D5A4C716

Function 078FF12C Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c050981db1192e8a2eb18b0210306276d4ffce5145849498090d2a99b5ec5eaf
Instruction ID: cb588653315e2cfe9f4a59b98f7653807de86235b079cb06826eef4c7224ee62
Opcode Fuzzy Hash: c050981db1192e8a2eb18b0210306276d4ffce5145849498090d2a99b5ec5eaf
Instruction Fuzzy Hash: F52190B181490AC7DB21CF69CD412BEB3F0FFA2709F188526E7A6D5180D3B8D5A4C756

Function 078F0702 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d8cdec126481030d0a047593cd96b2fdb781bebaacb5dff630696db83627c6
Instruction ID: 23c499ea5203f024358a5909275ef3abe950a5e4b12dad7c139b737995317f14
Opcode Fuzzy Hash: f1d8cdec126481030d0a047593cd96b2fdb781bebaacb5dff630696db83627c6
Instruction Fuzzy Hash: DA11A9B4A01206CFC720CF69C644BAABBF5FF44214F0481AAD508CB212E339E945CF90

Function 078FC24A Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f479c6f8b060cb3c5a99c1cbd697517174f33e5bcf5e096b3a856f8801394d51
Instruction ID: 769bfe5ddcad4f1a7420e2e3a814b0c4e7761481ba612316e5c2f726de43ccaa
Opcode Fuzzy Hash: f479c6f8b060cb3c5a99c1cbd697517174f33e5bcf5e096b3a856f8801394d51
Instruction Fuzzy Hash: 0011B170E0464B8FD705EFA8D9512AEBBB0EF45210F1445A6C944EB392EB384A55CB92

Function 078F18B8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dcacece1c6b69128fa6c8fa0773d3f09d662438258a2453363a468a06850bd3
Instruction ID: 85f0a03e4fca28033d936dddb0a7fd879893b2f9b6244422ee129158d7817a21
Opcode Fuzzy Hash: 2dcacece1c6b69128fa6c8fa0773d3f09d662438258a2453363a468a06850bd3
Instruction Fuzzy Hash: 10016D75B0021ADFCB04DFA4E9488AEBBFAFB8C2157108569E605D7210DA359E06CBD0

Function 078F39E8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ba93d0a684dec7ffee195b3e72b7d2e10694c851d8eb15da76ad698e029d66
Instruction ID: e7ef0bd602c2073580e881eda6bf509e3e109c90c18db574c6b1c7a116970bfe
Opcode Fuzzy Hash: 43ba93d0a684dec7ffee195b3e72b7d2e10694c851d8eb15da76ad698e029d66
Instruction Fuzzy Hash: 2111E974A00209EFDB05CFA4D884E9DBBB2FF89314F28C158E505AB765C775E982CB90

Function 078F57F4 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485155036c144ea18389f03e35d397945ee5c854c4b4c06536819d2fd3c650a4
Instruction ID: eee02159e265537fa2cf96a2160c892645910fa4281a2eed8781a6e7501e4e9a
Opcode Fuzzy Hash: 485155036c144ea18389f03e35d397945ee5c854c4b4c06536819d2fd3c650a4
Instruction Fuzzy Hash: 4011FE74A10209EFDB05CF94D884E9DBBB2FF48314F688554E404AB765C775E992CF40

Function 078F709B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd256ea591ce1bc32420366298b42723609bd0203d03cd65eff1e053c44b02c
Instruction ID: 2a0976a4a0aaa436912f4c566f9f30e55d4236a691bdc30e835e3352f37d2fd5
Opcode Fuzzy Hash: 5fd256ea591ce1bc32420366298b42723609bd0203d03cd65eff1e053c44b02c
Instruction Fuzzy Hash: A311EC74A00209EFEB05CF94D884E9DBBB2BF89314F688558E504AB365C775A982CF40

Function 078F2DE0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3368749ab8899433ae564a17dfc691d266d5e3d2a1adb7f4d1af6b093c30b57d
Instruction ID: 092bcc567dbac60528cfd4aeb215acf6b84a7c3f00743363ff8ce6a6def6b60b
Opcode Fuzzy Hash: 3368749ab8899433ae564a17dfc691d266d5e3d2a1adb7f4d1af6b093c30b57d
Instruction Fuzzy Hash: AE016276218A509FC724CF29E880D5ABBF9FF89224315069AF24AC7772C731FC508B50

Function 078F43B8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a179904e676ef29db4285569f769553130ac29a7ae036f81e750f67f00798e82
Instruction ID: 8bc154aaf1b0f6c009dc67e24bfb486da67e7fb9773ac4efcca4495d00649400
Opcode Fuzzy Hash: a179904e676ef29db4285569f769553130ac29a7ae036f81e750f67f00798e82
Instruction Fuzzy Hash: 8CF08CB270421AAB4B14AE59E840CBFB7AEFBC8260314812BE508D7200EA32980597A1

Function 078F3E14 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a2c3f305a6fac29f8d285fffa0ed4151c0eb746a73474e4fe962fb1396b116
Instruction ID: a7ab3c46e821346489f928d3aa339e6c90b0a6e1ee6fccbcf42801f49dd9751c
Opcode Fuzzy Hash: 67a2c3f305a6fac29f8d285fffa0ed4151c0eb746a73474e4fe962fb1396b116
Instruction Fuzzy Hash: B311E374E01209EFDB05DBA8D484A9DFBF2AF89314F24C159E404AB765C775ED82CB90

Function 078F7D48 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98ead019c5d1c1ddb267570203c8a2a9650774ae3fb69bff2b5c4f867a1160c5
Instruction ID: 46d828197a56d67c1f77f822bb2c2e34eb97046d09fbce10a85145af9694a3d4
Opcode Fuzzy Hash: 98ead019c5d1c1ddb267570203c8a2a9650774ae3fb69bff2b5c4f867a1160c5
Instruction Fuzzy Hash: 62F0A4B27042196F5B14AE59EC40CFFB7EEFBC8230314812BE508D7200EA31DC059790

Function 078F9B74 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7c53a6c1e9deca33b9db172d9521d0108fa6d5018fa9957d8b9f24695aedb5
Instruction ID: ebeb1046f55b65f8c6eea7d017ad41d67f402d3afea7da2c5849c94db7eff60e
Opcode Fuzzy Hash: 8e7c53a6c1e9deca33b9db172d9521d0108fa6d5018fa9957d8b9f24695aedb5
Instruction Fuzzy Hash: 0011D274E01219EFDB05CBA8D484B9DBBB2AF89314F24C159E404AB365C775AD82CB80

Function 078FC258 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 402461dfd35a08ee608da0ce75b9bdcac221b56215924681994ba189307da47b
Instruction ID: 350730dd3b79ea58ae9073a77a1ddbfb5401f812778a6b48e9082ea006ea6cfe
Opcode Fuzzy Hash: 402461dfd35a08ee608da0ce75b9bdcac221b56215924681994ba189307da47b
Instruction Fuzzy Hash: FF016D70E0020E8FDB04EFA8D9017AEB7B0EF45314F104529C915F7395EB789A41CB91

Function 078F3A3A Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a7c27373b286027d683bf207f24928a0983e26f9917c661da03e1154c6df5f
Instruction ID: ec5f8ec74f7eaa0097b6b36dc5b6b106ee8d7e193bfd01df844fd23c22263b71
Opcode Fuzzy Hash: 62a7c27373b286027d683bf207f24928a0983e26f9917c661da03e1154c6df5f
Instruction Fuzzy Hash: 980184B9A11108DFCB05CF5AD544AECB7F1FB88314F08816ADD15A7790C7359946CF50

Function 078F2F59 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b774f683b785abfaf629f932cf251c600a871a4c408e11624dbfbbc245f321a
Instruction ID: ae2b03705d13f9dfce1b180371c8c2397c4672950af56b5ff3e66d405baab0f9
Opcode Fuzzy Hash: 4b774f683b785abfaf629f932cf251c600a871a4c408e11624dbfbbc245f321a
Instruction Fuzzy Hash: 48F09035304A54AFC309D728E884D5A7BE9FF8E6347214196E509CB762CA61EC418BE1

Function 078FA6F0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae711f72f272f1a38456e387f810fd8a5a05b43031d7cd065242cb6b8300281
Instruction ID: 1923185e8c7b5af96490dd0d7310510f55478acb05796c83f4bee068c0500b4f
Opcode Fuzzy Hash: 2ae711f72f272f1a38456e387f810fd8a5a05b43031d7cd065242cb6b8300281
Instruction Fuzzy Hash: 72F0C871A106049FC711EB6DE8448DEBBB5EFD6310701416BD54497321D7315D06CBA2

Function 07585F43 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1321540992.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7580000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f342594040950a98c09f7433fc96c2397808bf3d14d2853fe179ebca290b35
Instruction ID: 13654591f1476b0d321ce38015930e8519103389a9350f42d2e7d86bd3c38a76
Opcode Fuzzy Hash: 47f342594040950a98c09f7433fc96c2397808bf3d14d2853fe179ebca290b35
Instruction Fuzzy Hash: 03F046B67006006FD228EB69E450AAE73EBEBC8500754852DD00A9FB14EF34ED0387A1

Function 07585F50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1321540992.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7580000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce698c5e5f5d9f3592fb73875cad5bcfa95285f55c45cf0c634dff37058d6778
Instruction ID: 787fbe66968d64e0ef003e20e4da6966752ba2083c5a10d5750255584b403213
Opcode Fuzzy Hash: ce698c5e5f5d9f3592fb73875cad5bcfa95285f55c45cf0c634dff37058d6778
Instruction Fuzzy Hash: 7EF0F0727006016FD228EB2AE45096F73EBEBC9510354852DD00A9BB14EF34ED0787E1

Function 078F8DF9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 314d8b25dcdc801e1f80de3c93795335e951a2510ff43041e71529aa56043e25
Instruction ID: 20f3ba5f4fb5176e4af60b22d5dce20ea453d5b4aea9153865807d2c748d409e
Opcode Fuzzy Hash: 314d8b25dcdc801e1f80de3c93795335e951a2510ff43041e71529aa56043e25
Instruction Fuzzy Hash: 4FF0A7713087411BD3151A396C50B97AB6AEFD5260F15466EE184876D1DD215C8283A5

Function 07588F20 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1321540992.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7580000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e47e7e1c2ec1c52899f20219e3f8c1352ea847a36a23140fd2b914ee63bd57
Instruction ID: e178a9f0fecee06b8b0b63c9b5d0c933bb9562187adccb4af4726b84b0eb744e
Opcode Fuzzy Hash: f4e47e7e1c2ec1c52899f20219e3f8c1352ea847a36a23140fd2b914ee63bd57
Instruction Fuzzy Hash: 4BF037722041E93F8B564E9B5C10CFF7FEDDA9E5627094066FE98D2241C439CD219BB0

Function 078F2F68 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64cac1417391885eb922f761c68bc5446b60e2ea3f7a05ca50c98de1cba4120b
Instruction ID: 2f2cc12983d371553b6c62bddc413933d2bc7fa566dc0ff8e3b5bd6a529c214b
Opcode Fuzzy Hash: 64cac1417391885eb922f761c68bc5446b60e2ea3f7a05ca50c98de1cba4120b
Instruction Fuzzy Hash: 6FF01C75310A149FC708D66DD884D1A77EEEBCDB647218165E509CB761CA71EC018BD1

Function 078FD828 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8db1dbb91f3a6acc46dd434117cb4b236287adc12f8fb1d39894d22623b191
Instruction ID: f295a5c60aaf97d3e03bd14f42489305eb665a7ddaa9fb63102c7ef1034b2128
Opcode Fuzzy Hash: fa8db1dbb91f3a6acc46dd434117cb4b236287adc12f8fb1d39894d22623b191
Instruction Fuzzy Hash: 5DF0B4B2E09348EFDF228BB4D8506DDBF31EF95201F14009AE2499B620D635A957D760

Function 078F7FDA Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a96d3d8a2584428c3777ed7dc3a9784015e9d1baf1d585627799f0c587122ef
Instruction ID: 3300c0f0213283863f587a9ce26044dc1b5434bb7c6471c7f1d50d96447580bd
Opcode Fuzzy Hash: 1a96d3d8a2584428c3777ed7dc3a9784015e9d1baf1d585627799f0c587122ef
Instruction Fuzzy Hash: 2BD05B767002905FC7158B68F4048AEFBE7DBC4164308856EF5AA97B05C724EC42D790

Function 078FA5E0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c3310b62d35ca87d86f5cd1662c7bfbf6ed290324b024129076d21b708fcfad
Instruction ID: bcf90fac0abb7fba13e3083e656952397d6a466dd32f2f6e05164675e40620f9
Opcode Fuzzy Hash: 6c3310b62d35ca87d86f5cd1662c7bfbf6ed290324b024129076d21b708fcfad
Instruction Fuzzy Hash: BEE05E34188641CFD3029F18C8019D53BB1FF29B11B0181EAE988CB363D736AC12C7A1

Function 078FF182 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be4d71e5d781cce58a51a23823911425d5a9179da5452d23e497d8b67373319d
Instruction ID: 518d88b7e1be7ad66b5b902975fdfe27b47632d8b171b7156a8815822be538f7
Opcode Fuzzy Hash: be4d71e5d781cce58a51a23823911425d5a9179da5452d23e497d8b67373319d
Instruction Fuzzy Hash: 1BD05EA170574ACFEB2A8F26CC104D437B8BF136203900793CB72C66E3DB2A8995C311

Function 078FA5B8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4697563c4a5ea83c965d7cc4a1ac961df7e58fba13b4a72282d4b27396ea2ab
Instruction ID: 445c0636e3e9d1511616cb28974158d32848646f0de63a09e5c801f98d2112d8
Opcode Fuzzy Hash: a4697563c4a5ea83c965d7cc4a1ac961df7e58fba13b4a72282d4b27396ea2ab
Instruction Fuzzy Hash: BED0A715019BC58AD3023B388411044BF30EE1760CB0549C3C2C09A113EB105578D353

Function 078FA5F0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction ID: 61412fa5721fa0801f19765b42d0f6ac58f054d2697597a3f249e516f761f0d5
Opcode Fuzzy Hash: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction Fuzzy Hash: 87C00235140108AFC740DF55D445D95BBA9EB59660B1180A1F9484B722C632E9119A90

Function 078FEFF2 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1322266371.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_78f0000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a14c7293589a305e9c76ff8df75b6a2f570ba87be71f92b3352b30a6a5c223a
Instruction ID: 6ccf8394081efac466efbdf8acfa222fc52a39899398bd6d1af30a422790ee9f
Opcode Fuzzy Hash: 7a14c7293589a305e9c76ff8df75b6a2f570ba87be71f92b3352b30a6a5c223a
Instruction Fuzzy Hash: B4D0C96040E7868FDB078B2184192443F647F46325FAA46EA81608A1E2DA2909058712

Function 07580F00 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1321540992.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7580000_gaOQxNyy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8cd8e96638b2790d10450b665c060943570aaa1c726ba7c061ba9a8d66caa3
Instruction ID: 6b80b3b35d155cad7614c000a4baf22e2f689dde40af81555c760905b4efdc66
Opcode Fuzzy Hash: 4b8cd8e96638b2790d10450b665c060943570aaa1c726ba7c061ba9a8d66caa3
Instruction Fuzzy Hash: 73B0123044030E8FC5007F51F805954336CEB401187408124A11C095055E6DAC49D6C5

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HALKBANK EKSTRE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HALKBANK EKSTRE.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gaOQxNyy.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3gr2isbp.sik.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_adpoy34r.410.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bbsb3go1.xvl.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d4yjprsz.2is.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hf5nbjjl.xgg.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p5zxkijf.3w0.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uqorsyal.xdy.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z2zmz2n0.wkz.ps1

C:\Users\user\AppData\Local\Temp\tmp93F7.tmp

Windows Analysis Report
HALKBANK EKSTRE.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre