Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.931476656.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.810240160.0000000004A6E000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.931476656.0000000002A61000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.discordapp.com |
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, verify.exe.0.dr |
String found in binary or memory: https://cdn.discordapp.com/attachments/913584216825028612/936582704412110848/Cszji.jpg |
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935430367.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933451281.0000000003C48000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.932856682.0000000003B49000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/mgravell/protobuf-net |
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935430367.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933451281.0000000003C48000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.932856682.0000000003B49000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/mgravell/protobuf-netJ |
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935430367.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933451281.0000000003C48000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.932856682.0000000003B49000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/mgravell/protobuf-neti |
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935430367.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933451281.0000000003C48000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.932856682.0000000003B49000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://stackoverflow.com/q/11564914/23354; |
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935430367.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.931638980.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933451281.0000000003C48000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.932856682.0000000003B49000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://stackoverflow.com/q/14436606/23354 |
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935430367.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933451281.0000000003C48000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.932856682.0000000003B49000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://stackoverflow.com/q/2152978/23354 |
Source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.raw.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.raw.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.4.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.4.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.raw.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.raw.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000011.00000000.929078210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000011.00000000.929078210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000000.00000002.933873934.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000000.00000002.933873934.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000000.00000002.934742685.0000000003E87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000000.00000002.934742685.0000000003E87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000000.00000002.932614500.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000000.00000002.932614500.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000011.00000002.935785039.00000000010D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000011.00000002.935785039.00000000010D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000011.00000000.929441630.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000011.00000000.929441630.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000000.00000002.934643233.0000000003E37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000000.00000002.934643233.0000000003E37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, type: SAMPLE |
Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score = |
Source: 0.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.750000.0.unpack, type: UNPACKEDPE |
Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score = |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.9.unpack, type: UNPACKEDPE |
Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score = |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.1.unpack, type: UNPACKEDPE |
Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score = |
Source: 0.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.750000.0.unpack, type: UNPACKEDPE |
Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score = |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.0.unpack, type: UNPACKEDPE |
Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score = |
Source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.1.unpack, type: UNPACKEDPE |
Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score = |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.7.unpack, type: UNPACKEDPE |
Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score = |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.5.unpack, type: UNPACKEDPE |
Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score = |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.3.unpack, type: UNPACKEDPE |
Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score = |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.2.unpack, type: UNPACKEDPE |
Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score = |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.4.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.4.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000011.00000000.929078210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000011.00000000.929078210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000000.00000002.933873934.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000000.00000002.933873934.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000000.00000002.934742685.0000000003E87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000000.00000002.934742685.0000000003E87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000000.00000002.932614500.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000000.00000002.932614500.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000011.00000002.935785039.00000000010D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000011.00000002.935785039.00000000010D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000011.00000000.929441630.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000011.00000000.929441630.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000000.00000002.934643233.0000000003E37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000000.00000002.934643233.0000000003E37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: Process Memory Space: powershell.exe PID: 4744, type: MEMORYSTR |
Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28 |
Source: C:\Users\user\AppData\Local\verify.exe, type: DROPPED |
Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score = |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_00E61539 |
0_2_00E61539 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_05DB0F18 |
0_2_05DB0F18 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_05DB0162 |
0_2_05DB0162 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_05DB0040 |
0_2_05DB0040 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_05DB045B |
0_2_05DB045B |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_05DB0FDA |
0_2_05DB0FDA |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_05DB6720 |
0_2_05DB6720 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_05DB0950 |
0_2_05DB0950 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_05DB085B |
0_2_05DB085B |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_05DB13D0 |
0_2_05DB13D0 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_05E97480 |
0_2_05E97480 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_05E9B438 |
0_2_05E9B438 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_05E9F628 |
0_2_05E9F628 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_05E9E880 |
0_2_05E9E880 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_05E9E03C |
0_2_05E9E03C |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_05E9C4B8 |
0_2_05E9C4B8 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_05E9B768 |
0_2_05E9B768 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_00E65DE6 |
0_2_00E65DE6 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 1_2_005B5D68 |
1_2_005B5D68 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 1_2_005B1698 |
1_2_005B1698 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 1_2_005B1690 |
1_2_005B1690 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 1_2_005BD78B |
1_2_005BD78B |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 1_2_005EC2E8 |
1_2_005EC2E8 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 1_2_005E94BB |
1_2_005E94BB |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 1_2_005E9AF8 |
1_2_005E9AF8 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 1_2_005EAF10 |
1_2_005EAF10 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 1_2_005EA772 |
1_2_005EA772 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 1_2_076C3330 |
1_2_076C3330 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_0041D052 |
17_2_0041D052 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_0040102A |
17_2_0040102A |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_00401030 |
17_2_00401030 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_0041B8D3 |
17_2_0041B8D3 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_0041C174 |
17_2_0041C174 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_0041C9FB |
17_2_0041C9FB |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_0041C22A |
17_2_0041C22A |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_0041CC5B |
17_2_0041CC5B |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_00408C80 |
17_2_00408C80 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_00402D87 |
17_2_00402D87 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_00402D90 |
17_2_00402D90 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_0041C59C |
17_2_0041C59C |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_0041C6C5 |
17_2_0041C6C5 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_0041BEC7 |
17_2_0041BEC7 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_00402FB0 |
17_2_00402FB0 |
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Binary or memory string: OriginalFilename vs Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935430367.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933873934.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameJihogazdofjyz.dll" vs Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.930169193.0000000000752000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameCszji.exe. vs Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933451281.0000000003C48000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.932856682.0000000003B49000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935239896.0000000005D00000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameJihogazdofjyz.dll" vs Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Binary or memory string: OriginalFilename vs Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000011.00000000.925942429.0000000000B52000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameCszji.exe. vs Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000011.00000003.930343050.0000000001396000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamentdll.dllj% vs Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000011.00000002.936183255.000000000185F000.00000040.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamentdll.dllj% vs Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000011.00000002.936013595.00000000016CF000.00000040.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamentdll.dllj% vs Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Binary or memory string: OriginalFilenameCszji.exe. vs Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, Program.cs |
.Net Code: Read System.Reflection.Assembly System.AppDomain::Load(System.Byte[]) |
Source: verify.exe.0.dr, Program.cs |
.Net Code: Read System.Reflection.Assembly System.AppDomain::Load(System.Byte[]) |
Source: 0.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.750000.0.unpack, Program.cs |
.Net Code: Read System.Reflection.Assembly System.AppDomain::Load(System.Byte[]) |
Source: 0.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.750000.0.unpack, Program.cs |
.Net Code: Read System.Reflection.Assembly System.AppDomain::Load(System.Byte[]) |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.5.unpack, Program.cs |
.Net Code: Read System.Reflection.Assembly System.AppDomain::Load(System.Byte[]) |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.2.unpack, Program.cs |
.Net Code: Read System.Reflection.Assembly System.AppDomain::Load(System.Byte[]) |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.3.unpack, Program.cs |
.Net Code: Read System.Reflection.Assembly System.AppDomain::Load(System.Byte[]) |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.0.unpack, Program.cs |
.Net Code: Read System.Reflection.Assembly System.AppDomain::Load(System.Byte[]) |
Source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.1.unpack, Program.cs |
.Net Code: Read System.Reflection.Assembly System.AppDomain::Load(System.Byte[]) |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.7.unpack, Program.cs |
.Net Code: Read System.Reflection.Assembly System.AppDomain::Load(System.Byte[]) |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.9.unpack, Program.cs |
.Net Code: Read System.Reflection.Assembly System.AppDomain::Load(System.Byte[]) |
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.1.unpack, Program.cs |
.Net Code: Read System.Reflection.Assembly System.AppDomain::Load(System.Byte[]) |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_00E6EE9A pushad ; retf |
0_2_00E6EE9D |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_05DBFD02 push E801035Eh; ret |
0_2_05DBFD09 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_05DB1CC8 push eax; retf |
0_2_05DB1CC9 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_05DBFCF7 push E802005Eh; retf |
0_2_05DBFD01 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_05DB0F08 pushad ; ret |
0_2_05DB0F09 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_05DB61E5 push edi; iretd |
0_2_05DB61E6 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 0_2_05E95E73 push eax; ret |
0_2_05E95E79 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 1_2_005BF4B8 pushfd ; ret |
1_2_005BF4C1 |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Code function: 1_2_005E5D21 push es; ret |
1_2_005E5D36 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_0041D052 push ecx; ret |
17_2_0041D04F |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_0041D014 push ecx; ret |
17_2_0041D04F |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_0041B832 push eax; ret |
17_2_0041B838 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_0041B83B push eax; ret |
17_2_0041B8A2 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_0041B89C push eax; ret |
17_2_0041B8A2 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_00417128 push esp; retf |
17_2_00417129 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_0041D275 push ecx; ret |
17_2_0041D04F |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_0041CD80 push ebp; ret |
17_2_0041CD8F |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_00414D94 push eax; iretd |
17_2_00414D95 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_00415EE8 push esi; iretd |
17_2_00415EF3 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Code function: 17_2_0041B7E5 push eax; ret |
17_2_0041B838 |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Queries volume information: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |