IOC Report

loading gif

Files

File Path
Type
Category
Malicious
Halkbank.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Halkbank.exe.log
ASCII text, with CRLF line terminators
dropped
malicious
C:\Windows\System32\drivers\etc\hosts
ASCII text, with CRLF line terminators
modified
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_6e42c2ecbe67857e042102e8f977834d8ccb729_75d5926b_11ee2609\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER819B.tmp.dmp
Mini DuMP crash report, 15 streams, Fri Nov 26 02:49:06 2021, 0x1205a4 type
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER993B.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D53.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
clean
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
clean
C:\Windows\appcompat\Programs\Amcache.hve.LOG1
MS Windows registry file, NT/2000 or above
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\Halkbank.exe
"C:\Users\user\Desktop\Halkbank.exe"
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
malicious
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 1476
malicious

URLs

Name
IP
Malicious
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
unknown
clean
http://127.0.0.1:HTTP/1.1
unknown
clean
http://DynDns.comDynDNS
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
unknown
clean
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
unknown
clean
http://OGxUTf.com
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
unknown
clean
https://api.ipify.org%GETMozilla/5.0
unknown
clean
http://upx.sf.net
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
unknown
clean
https://api.ipify.org%
unknown
clean
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
unknown
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
unknown
clean
There are 12 hidden URLs, click here to show them.

Registry

Path
Value
Malicious
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AmiHivePermissionsCorrect
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AmiHiveOwnerCorrect
clean
\REGISTRY\A\{c86b5116-84b6-6088-3e22-7c320b9c4ebe}\Root\InventoryApplicationFile\regsvcs.exe|4ad59aea
ProgramId
clean
\REGISTRY\A\{c86b5116-84b6-6088-3e22-7c320b9c4ebe}\Root\InventoryApplicationFile\regsvcs.exe|4ad59aea
FileId
clean
\REGISTRY\A\{c86b5116-84b6-6088-3e22-7c320b9c4ebe}\Root\InventoryApplicationFile\regsvcs.exe|4ad59aea
LowerCaseLongPath
clean
\REGISTRY\A\{c86b5116-84b6-6088-3e22-7c320b9c4ebe}\Root\InventoryApplicationFile\regsvcs.exe|4ad59aea
LongPathHash
clean
\REGISTRY\A\{c86b5116-84b6-6088-3e22-7c320b9c4ebe}\Root\InventoryApplicationFile\regsvcs.exe|4ad59aea
Name
clean
\REGISTRY\A\{c86b5116-84b6-6088-3e22-7c320b9c4ebe}\Root\InventoryApplicationFile\regsvcs.exe|4ad59aea
Publisher
clean
\REGISTRY\A\{c86b5116-84b6-6088-3e22-7c320b9c4ebe}\Root\InventoryApplicationFile\regsvcs.exe|4ad59aea
Version
clean
\REGISTRY\A\{c86b5116-84b6-6088-3e22-7c320b9c4ebe}\Root\InventoryApplicationFile\regsvcs.exe|4ad59aea
BinFileVersion
clean
\REGISTRY\A\{c86b5116-84b6-6088-3e22-7c320b9c4ebe}\Root\InventoryApplicationFile\regsvcs.exe|4ad59aea
BinaryType
clean
\REGISTRY\A\{c86b5116-84b6-6088-3e22-7c320b9c4ebe}\Root\InventoryApplicationFile\regsvcs.exe|4ad59aea
ProductName
clean
\REGISTRY\A\{c86b5116-84b6-6088-3e22-7c320b9c4ebe}\Root\InventoryApplicationFile\regsvcs.exe|4ad59aea
ProductVersion
clean
\REGISTRY\A\{c86b5116-84b6-6088-3e22-7c320b9c4ebe}\Root\InventoryApplicationFile\regsvcs.exe|4ad59aea
LinkDate
clean
\REGISTRY\A\{c86b5116-84b6-6088-3e22-7c320b9c4ebe}\Root\InventoryApplicationFile\regsvcs.exe|4ad59aea
BinProductVersion
clean
\REGISTRY\A\{c86b5116-84b6-6088-3e22-7c320b9c4ebe}\Root\InventoryApplicationFile\regsvcs.exe|4ad59aea
Size
clean
\REGISTRY\A\{c86b5116-84b6-6088-3e22-7c320b9c4ebe}\Root\InventoryApplicationFile\regsvcs.exe|4ad59aea
Language
clean
\REGISTRY\A\{c86b5116-84b6-6088-3e22-7c320b9c4ebe}\Root\InventoryApplicationFile\regsvcs.exe|4ad59aea
IsPeFile
clean
\REGISTRY\A\{c86b5116-84b6-6088-3e22-7c320b9c4ebe}\Root\InventoryApplicationFile\regsvcs.exe|4ad59aea
IsOsComponent
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug
ExceptionRecord
clean
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceTicket
clean
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceId
clean
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
ApplicationFlags
clean
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property
0018800453F4626F
clean
There are 14 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
2E21000
unkown
page read and write
malicious
3DA9000
unkown
page read and write
malicious
5780000
unkown
page read and write
malicious
2DA1000
unkown
page read and write
malicious
402000
unkown
page execute and read and write
malicious
2DD5000
unkown
page read and write
malicious
402000
unkown
page execute and read and write
malicious
2E21000
unkown
page read and write
malicious
2ED8000
unkown
page read and write
malicious
402000
unkown
page execute and read and write
malicious
402000
unkown
page execute and read and write
malicious
2E21000
unkown
page read and write
malicious
402000
unkown
page execute and read and write
malicious
402000
unkown
page execute and read and write
malicious
2ED8000
unkown
page read and write
malicious
402000
unkown
page execute and read and write
malicious
2ED8000
unkown
page read and write
malicious
7DF47D090000
unkown image
page readonly
clean
5245000
unkown
page read and write
clean
52AE000
unkown
page read and write
clean
BD0000
stack
page read and write