Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Halkbank_Ekstre_20220525_103511_102798 (2).exe

Overview

General Information

Sample Name:Halkbank_Ekstre_20220525_103511_102798 (2).exe
Analysis ID:635241
MD5:91b701f0faa2e791ceab8875d57b8701
SHA1:61f6fc240b0632720f161a5eb1cdc427a3ebc170
SHA256:9e0ff5207d60d3a7717e906eabff7fe2143f63c820e670d6fd98f0a40a393aec
Tags:AgentTeslaexegeoHalkbankTUR
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Sigma detected: RegAsm connects to smtp port
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Drops executable to a common third party application directory
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Launches processes in debugging mode, may be used to hinder debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Halkbank_Ekstre_20220525_103511_102798 (2).exe (PID: 2284 cmdline: "C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exe" MD5: 91B701F0FAA2E791CEAB8875D57B8701)
    • RegAsm.exe (PID: 6056 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • WerFault.exe (PID: 3368 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1304 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 60 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1304 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • firefox.exe (PID: 6560 cmdline: "C:\Users\user\AppData\Roaming\firefox\firefox.exe" MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • conhost.exe (PID: 6628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "admin@gowiththegecko.com.au", "Password": "2212@Revesby", "Host": "mail.gowiththegecko.com.au"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.257294583.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000000.257294583.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000000.255656425.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000000.255656425.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000001.00000000.256552993.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.6.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x30cfb:$s10: logins
                • 0x30762:$s11: credential
                • 0x2cd58:$g1: get_Clipboard
                • 0x2cd66:$g2: get_Keyboard
                • 0x2cd73:$g3: get_Password
                • 0x2e069:$g4: get_CtrlKeyDown
                • 0x2e079:$g5: get_ShiftKeyDown
                • 0x2e08a:$g6: get_AltKeyDown
                1.0.RegAsm.exe.400000.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.0.RegAsm.exe.400000.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 49 entries

                    Sigma Signatures

                    Networking

                    barindex
                    Sigma detected: RegAsm connects to smtp port
                    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 110.173.135.85, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 6056, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49758

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.1.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "admin@gowiththegecko.com.au", "Password": "2212@Revesby", "Host": "mail.gowiththegecko.com.au"}
                    Multi AV Scanner detection for submitted file
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exeVirustotal: Detection: 50%Perma Link
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exeReversingLabs: Detection: 48%
                    Machine Learning detection for sample
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exeJoe Sandbox ML: detected
                    Source: 1.0.RegAsm.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 1.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 1.0.RegAsm.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                    Source: 1.0.RegAsm.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 1.0.RegAsm.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                    Source: 1.0.RegAsm.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: System.Core.ni.pdbRSDSD source: WER4EF.tmp.dmp.9.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER4EF.tmp.dmp.9.dr
                    Source: Binary string: mscorlib.pdb source: WER4EF.tmp.dmp.9.dr
                    Source: Binary string: System.ni.pdbRSDS source: WER4EF.tmp.dmp.9.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER4EF.tmp.dmp.9.dr
                    Source: Binary string: RegAsm.pdb source: firefox.exe, firefox.exe, 00000011.00000000.324941637.0000000000F82000.00000002.00000001.01000000.00000009.sdmp, firefox.exe.1.dr
                    Source: Binary string: l98 (2).PDB source: Halkbank_Ekstre_20220525_103511_102798 (2).exe, 00000000.00000000.276685351.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdb source: WER4EF.tmp.dmp.9.dr
                    Source: Binary string: RegAsm.pdb4 source: firefox.exe, 00000011.00000000.324941637.0000000000F82000.00000002.00000001.01000000.00000009.sdmp, firefox.exe.1.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS source: WER4EF.tmp.dmp.9.dr
                    Source: Binary string: .pdbE( source: Halkbank_Ekstre_20220525_103511_102798 (2).exe, 00000000.00000002.300533200.0000000000B57000.00000004.00000010.00020000.00000000.sdmp, Halkbank_Ekstre_20220525_103511_102798 (2).exe, 00000000.00000000.276685351.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdbH source: WER4EF.tmp.dmp.9.dr
                    Source: Binary string: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).PDB source: Halkbank_Ekstre_20220525_103511_102798 (2).exe, 00000000.00000002.300533200.0000000000B57000.00000004.00000010.00020000.00000000.sdmp, Halkbank_Ekstre_20220525_103511_102798 (2).exe, 00000000.00000000.276685351.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdb source: WER4EF.tmp.dmp.9.dr
                    Source: Binary string: System.pdb source: WER4EF.tmp.dmp.9.dr
                    Source: Binary string: System.Core.ni.pdb source: WER4EF.tmp.dmp.9.dr
                    Source: Joe Sandbox ViewASN Name: DIGITALPACIFIC-AUDigitalPacificPtyLtdAustraliaAU DIGITALPACIFIC-AUDigitalPacificPtyLtdAustraliaAU
                    Source: global trafficTCP traffic: 192.168.2.4:49758 -> 110.173.135.85:587
                    Source: global trafficTCP traffic: 192.168.2.4:49758 -> 110.173.135.85:587
                    Source: RegAsm.exe, 00000001.00000002.775664989.0000000002841000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: RegAsm.exe, 00000001.00000002.777760334.0000000002B42000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.777850525.0000000002B92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://71gdspwVDHVhJVZvkZU1.org
                    Source: RegAsm.exe, 00000001.00000002.775664989.0000000002841000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: RegAsm.exe, 00000001.00000002.775664989.0000000002841000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://LJWAmo.com
                    Source: RegAsm.exe, 00000001.00000002.778089897.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.779083550.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.777850525.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.779036322.0000000005E20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: RegAsm.exe, 00000001.00000002.779083550.0000000005E8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: RegAsm.exe, 00000001.00000002.778089897.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.775295882.0000000000C51000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.779083550.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.777850525.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.779036322.0000000005E20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: RegAsm.exe, 00000001.00000002.778089897.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.779083550.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.777850525.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.779036322.0000000005E20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                    Source: RegAsm.exe, 00000001.00000003.298617705.0000000005E2B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.779036322.0000000005E20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.?t
                    Source: RegAsm.exe, 00000001.00000002.778089897.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.777850525.0000000002B92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.gowiththegecko.com.au
                    Source: RegAsm.exe, 00000001.00000002.778089897.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.775295882.0000000000C51000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.779083550.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.777850525.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.779036322.0000000005E20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exeString found in binary or memory: http://sawebservice.red-gate.com/
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exeString found in binary or memory: http://www.smartassembly.com/webservices/Reporting/
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exeString found in binary or memory: http://www.smartassembly.com/webservices/Reporting/UploadReport2
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exeString found in binary or memory: http://www.smartassembly.com/webservices/UploadReportLogin/
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exeString found in binary or memory: http://www.smartassembly.com/webservices/UploadReportLogin/GetServerURL
                    Source: RegAsm.exe, 00000001.00000002.775664989.0000000002841000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                    Source: RegAsm.exe, 00000001.00000002.775664989.0000000002841000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%appdata
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exe, Halkbank_Ekstre_20220525_103511_102798 (2).exe, 00000000.00000002.306366536.0000000002A81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dsssdsa.fa
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exeString found in binary or memory: https://dsssdsa.fa)Uri
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exeString found in binary or memory: https://rufus.ie
                    Source: RegAsm.exe, 00000001.00000002.778089897.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.779083550.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.777850525.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.779036322.0000000005E20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exeString found in binary or memory: https://www.gnu.org/licenses/gpl-3.0.htmlF
                    Source: RegAsm.exe, 00000001.00000002.775664989.0000000002841000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownDNS traffic detected: queries for: mail.gowiththegecko.com.au

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 1.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.5.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.1.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 1.0.RegAsm.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b9AB90D2Fu002dBB14u002d48B6u002d9AC7u002dC8C0B6A282FCu007d/ADCA6523u002d6D89u002d4B22u002dAEE7u002d162F3696E7B7.csLarge array initialization: .cctor: array initializer size 11627
                    Source: 1.2.RegAsm.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b9AB90D2Fu002dBB14u002d48B6u002d9AC7u002dC8C0B6A282FCu007d/ADCA6523u002d6D89u002d4B22u002dAEE7u002d162F3696E7B7.csLarge array initialization: .cctor: array initializer size 11627
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 1.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1304
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00D5F0A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00D5F3E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00D56150
                    Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeCode function: 17_2_00F83DFE
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeCode function: 0_2_00FD2F08 CreateProcessAsUserA,
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exe, 00000000.00000002.306366536.0000000002A81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameoAgrQVJOHIRjstJaVRAzBmBW.exe4 vs Halkbank_Ekstre_20220525_103511_102798 (2).exe
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exe, 00000000.00000000.276635209.00000000007AE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamerufus-3.18.exe, vs Halkbank_Ekstre_20220525_103511_102798 (2).exe
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exe, 00000000.00000002.306509807.0000000003A89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameoAgrQVJOHIRjstJaVRAzBmBW.exe4 vs Halkbank_Ekstre_20220525_103511_102798 (2).exe
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exeBinary or memory string: OriginalFilenamerufus-3.18.exe, vs Halkbank_Ekstre_20220525_103511_102798 (2).exe
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\firefox\firefox.exe FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exeVirustotal: Detection: 50%
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exeReversingLabs: Detection: 48%
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeFile read: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeJump to behavior
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exe "C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exe"
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1304
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1304
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\firefox\firefox.exe "C:\Users\user\AppData\Roaming\firefox\firefox.exe"
                    Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1304
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\firefoxJump to behavior
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeFile created: C:\Users\user\AppData\Local\Temp\2d_PCX.icoJump to behavior
                    Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@9/9@2/1
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2284
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6628:120:WilError_01
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exe, u0097/u0005u0002.csCryptographic APIs: 'CreateDecryptor'
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exe, u0097/u0005u0002.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exe, u001a/u0016u0017.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exe, u001a/u0016u0017.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 1.0.RegAsm.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 1.0.RegAsm.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 1.2.RegAsm.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 1.2.RegAsm.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Halkbank_Ekstre_20220525_103511_102798 (2).exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: System.Core.ni.pdbRSDSD source: WER4EF.tmp.dmp.9.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER4EF.tmp.dmp.9.dr
                    Source: Binary string: mscorlib.pdb source: WER4EF.tmp.dmp.9.dr
                    Source: Binary string: System.ni.pdbRSDS source: WER4EF.tmp.dmp.9.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER4EF.tmp.dmp.9.dr
                    Source: Binary string: RegAsm.pdb source: firefox.exe, firefox.exe, 00000011.00000000.324941637.0000000000F82000.00000002.00000001.01000000.00000009.sdmp, firefox.exe.1.dr
                    Source: Binary string: l98 (2).PDB source: Halkbank_Ekstre_20220525_103511_102798 (2).exe, 00000000.00000000.276685351.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdb source: WER4EF.tmp.dmp.9.dr
                    Source: Binary string: RegAsm.pdb4 source: firefox.exe, 00000011.00000000.324941637.0000000000F82000.00000002.00000001.01000000.00000009.sdmp, firefox.exe.1.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS source: WER4EF.tmp.dmp.9.dr
                    Source: Binary string: .pdbE( source: Halkbank_Ekstre_20220525_103511_102798 (2).exe, 00000000.00000002.300533200.0000000000B57000.00000004.00000010.00020000.00000000.sdmp, Halkbank_Ekstre_20220525_103511_102798 (2).exe, 00000000.00000000.276685351.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdbH source: WER4EF.tmp.dmp.9.dr
                    Source: Binary string: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).PDB source: Halkbank_Ekstre_20220525_103511_102798 (2).exe, 00000000.00000002.300533200.0000000000B57000.00000004.00000010.00020000.00000000.sdmp, Halkbank_Ekstre_20220525_103511_102798 (2).exe, 00000000.00000000.276685351.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdb source: WER4EF.tmp.dmp.9.dr
                    Source: Binary string: System.pdb source: WER4EF.tmp.dmp.9.dr
                    Source: Binary string: System.Core.ni.pdb source: WER4EF.tmp.dmp.9.dr
                    Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeCode function: 17_2_00F84469 push cs; retf
                    Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeCode function: 17_2_00F844A3 push es; retf
                    Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeCode function: 17_2_00F84289 push es; retf
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.75452715389

                    Persistence and Installation Behavior

                    barindex
                    Drops executable to a common third party application directory
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile written: C:\Users\user\AppData\Roaming\firefox\firefox.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\firefox\firefox.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run firefoxJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run firefoxJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\firefox\firefox.exe:Zone.Identifier read attributes | delete
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4828Thread sleep time: -23980767295822402s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2256Thread sleep count: 6314 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2256Thread sleep count: 2608 > 30
                    Source: C:\Users\user\AppData\Roaming\firefox\firefox.exe TID: 6688Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 6314
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2608
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeThread delayed: delay time: 922337203685477
                    Source: RegAsm.exe, 00000001.00000002.779036322.0000000005E20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlllter-0000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1304
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00D5FCB8 LdrInitializeThunk,
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 436000
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 438000
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 68A008
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1304
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeQueries volume information: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exe VolumeInformation
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: unknown VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\firefox\firefox.exeQueries volume information: C:\Users\user\AppData\Roaming\firefox\firefox.exe VolumeInformation
                    Source: C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000000.257294583.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.255656425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.256552993.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.773543495.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.306509807.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.257741939.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.275002773.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.288517970.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.775664989.0000000002841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Halkbank_Ekstre_20220525_103511_102798 (2).exe PID: 2284, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6056, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: Yara matchFile source: 00000001.00000002.775664989.0000000002841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6056, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.0.RegAsm.exe.400000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3af2170.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20220525_103511_102798 (2).exe.3abdb40.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000000.257294583.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.255656425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.256552993.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.773543495.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.306509807.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.257741939.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.275002773.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.288517970.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.775664989.0000000002841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Halkbank_Ekstre_20220525_103511_102798 (2).exe PID: 2284, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6056, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    1
                    Valid Accounts                    		211
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/Job1
                    Valid Accounts                    		1
                    Valid Accounts                    		1
                    Deobfuscate/Decode Files or Information                    		11
                    Input Capture                    		114
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)1
                    Registry Run Keys / Startup Folder                    		1
                    Access Token Manipulation                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		Automated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)311
                    Process Injection                    		3
                    Software Packing                    		NTDS121
                    Security Software Discovery                    		Distributed Component Object Model11
                    Input Capture                    		Scheduled Transfer11
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon Script1
                    Registry Run Keys / Startup Folder                    		1
                    DLL Side-Loading                    		LSA Secrets1
                    Process Discovery                    		SSH1
                    Clipboard Data                    		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common11
                    Masquerading                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                    Valid Accounts                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                    Access Token Manipulation                    		Proc Filesystem1
                    Remote System Discovery                    		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)141
                    Virtualization/Sandbox Evasion                    		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)311
                    Process Injection                    		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                    Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron1
                    Hidden Files and Directories                    		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Halkbank_Ekstre_20220525_103511_102798 (2).exe51%VirustotalBrowse
                    Halkbank_Ekstre_20220525_103511_102798 (2).exe49%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    Halkbank_Ekstre_20220525_103511_102798 (2).exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\firefox\firefox.exe0%MetadefenderBrowse
                    C:\Users\user\AppData\Roaming\firefox\firefox.exe0%ReversingLabs

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    1.0.RegAsm.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    1.2.RegAsm.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    1.0.RegAsm.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                    1.0.RegAsm.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    1.0.RegAsm.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                    1.0.RegAsm.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://dsssdsa.fa)Uri0%Avira URL Cloudsafe
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    https://sectigo.com/CPS00%URL Reputationsafe
                    https://rufus.ie0%VirustotalBrowse
                    https://rufus.ie0%Avira URL Cloudsafe
                    https://api.ipify.org%appdata0%URL Reputationsafe
                    http://www.smartassembly.com/webservices/Reporting/UploadReport20%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://LJWAmo.com0%Avira URL Cloudsafe
                    http://mail.gowiththegecko.com.au0%Avira URL Cloudsafe
                    https://dsssdsa.fa0%Avira URL Cloudsafe
                    http://www.smartassembly.com/webservices/Reporting/0%URL Reputationsafe
                    https://api.ipify.org%0%URL Reputationsafe
                    http://www.smartassembly.com/webservices/UploadReportLogin/0%URL Reputationsafe
                    http://www.smartassembly.com/webservices/UploadReportLogin/GetServerURL0%URL Reputationsafe
                    http://71gdspwVDHVhJVZvkZU1.org0%Avira URL Cloudsafe
                    http://crl.microsoft.?t0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.gowiththegecko.com.au
                    		110.173.135.85
                    		truetrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://dsssdsa.fa)UriHalkbank_Ekstre_20220525_103511_102798 (2).exefalse
                      • Avira URL Cloud: safe
                      		low
                      http://127.0.0.1:HTTP/1.1RegAsm.exe, 00000001.00000002.775664989.0000000002841000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      https://sectigo.com/CPS0RegAsm.exe, 00000001.00000002.778089897.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.779083550.0000000005E8B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.777850525.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.779036322.0000000005E20000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://rufus.ieHalkbank_Ekstre_20220525_103511_102798 (2).exefalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.ipify.org%appdataRegAsm.exe, 00000001.00000002.775664989.0000000002841000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		low
                      http://sawebservice.red-gate.com/Halkbank_Ekstre_20220525_103511_102798 (2).exefalse
                        		high
                        http://www.smartassembly.com/webservices/Reporting/UploadReport2Halkbank_Ekstre_20220525_103511_102798 (2).exefalse
                        • URL Reputation: safe
                        		unknown
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwRegAsm.exe, 00000001.00000002.775664989.0000000002841000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://DynDns.comDynDNSnamejidpasswordPsi/PsiRegAsm.exe, 00000001.00000002.775664989.0000000002841000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://LJWAmo.comRegAsm.exe, 00000001.00000002.775664989.0000000002841000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://mail.gowiththegecko.com.auRegAsm.exe, 00000001.00000002.778089897.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.777850525.0000000002B92000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://dsssdsa.faHalkbank_Ekstre_20220525_103511_102798 (2).exe, Halkbank_Ekstre_20220525_103511_102798 (2).exe, 00000000.00000002.306366536.0000000002A81000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.smartassembly.com/webservices/Reporting/Halkbank_Ekstre_20220525_103511_102798 (2).exefalse
                        • URL Reputation: safe
                        		unknown
                        https://www.gnu.org/licenses/gpl-3.0.htmlFHalkbank_Ekstre_20220525_103511_102798 (2).exefalse
                          		high
                          https://api.ipify.org%RegAsm.exe, 00000001.00000002.775664989.0000000002841000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		low
                          http://www.smartassembly.com/webservices/UploadReportLogin/Halkbank_Ekstre_20220525_103511_102798 (2).exefalse
                          • URL Reputation: safe
                          		unknown
                          http://www.smartassembly.com/webservices/UploadReportLogin/GetServerURLHalkbank_Ekstre_20220525_103511_102798 (2).exefalse
                          • URL Reputation: safe
                          		unknown
                          http://71gdspwVDHVhJVZvkZU1.orgRegAsm.exe, 00000001.00000002.777760334.0000000002B42000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.777850525.0000000002B92000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crl.microsoft.?tRegAsm.exe, 00000001.00000003.298617705.0000000005E2B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.779036322.0000000005E20000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          110.173.135.85
                          		mail.gowiththegecko.com.auAustralia
                          		55803DIGITALPACIFIC-AUDigitalPacificPtyLtdAustraliaAUtrue

                          General Information

                          Joe Sandbox Version:34.0.0 Boulder Opal
                          Analysis ID:635241
                          Start date and time: 27/05/202217:35:532022-05-27 17:35:53 +02:00
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 13m 22s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:Halkbank_Ekstre_20220525_103511_102798 (2).exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:33
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.spre.troj.spyw.evad.winEXE@9/9@2/1
                          EGA Information:
                          • Successful, ratio: 66.7%
                          HDC Information:
                          • Successful, ratio: 4.4% (good quality ratio 3.9%)
                          • Quality average: 70.9%
                          • Quality standard deviation: 30.5%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Adjust boot time
                          • Enable AMSI
                          • Override analysis time to 240s for rundll32

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, rundll32.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                          • TCP Packets have been reduced to 100
                          • Excluded IPs from analysis (whitelisted): 20.189.173.22
                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
                          • Execution Graph export aborted for target firefox.exe, PID 6560 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtSetInformationFile calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          17:37:14API Interceptor1563x Sleep call for process: RegAsm.exe modified
                          17:37:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run firefox C:\Users\user\AppData\Roaming\firefox\firefox.exe
                          17:37:29AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run firefox C:\Users\user\AppData\Roaming\firefox\firefox.exe
                          17:37:32API Interceptor1x Sleep call for process: WerFault.exe modified

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_UNNHQCRYQ1ZFCITV_e531fb32b3144411c4bc2422ecfac52bfde9af_d16772c1_006a1dc6\Report.wer

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):1.0760376957966384
                          Encrypted:false
                          SSDEEP:192:K11gCT++xHKUgO+SQuaKH9fIs/u7s/S274It+:K3gCT+QKUgO+SQua8/u7s/X4It+
                          MD5:00EC6DD5A115721801C16ADDD847C1AA
                          SHA1:73D5FD4BD79B88C5EF8DF4E309F38A65C031880A
                          SHA-256:996D5F911E64DE933548BC7F9292680BFA1C8C75DF7EB33F0569948976F5EBE5
                          SHA-512:7DE10F68F415B1619FD5B0D89BBA0EA226332C99DC6EEC1FDACD488A406C199028D936E21A7530A238C275E6656792695630EAB602C757C938034D49A22A969B
                          Malicious:false
                          Reputation:low
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.8.1.3.9.4.4.6.2.7.7.1.5.9.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.8.1.3.9.4.5.0.6.8.3.3.6.5.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.a.6.d.5.3.7.4.-.9.b.e.e.-.4.f.1.9.-.b.a.7.d.-.9.4.a.b.b.b.0.8.3.2.2.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.4.c.5.0.f.4.f.-.2.a.e.c.-.4.5.6.2.-.b.e.8.2.-.9.c.b.7.5.8.6.3.1.3.0.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.H.a.l.k.b.a.n.k._.E.k.s.t.r.e._.2.0.2.2.0.5.2.5._.1.0.3.5.1.1._.1.0.2.7.9.8. .(.2.)...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.r.u.f.u.s.-.3...1.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.e.c.-.0.0.0.1.-.0.0.1.c.-.f.0.5.7.-.f.8.9.c.d.f.7.1.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.b.b.b.8.3.f.b.7.0.f.4.e.6.c.6.9.2.2.d.9.e.2.a.e.9.7.7.7.c.2.0.0.0.0.0.0.0.0.0.!.0.0.0.0.6.1.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER4EF.tmp.dmp

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Mini DuMP crash report, 15 streams, Fri May 27 15:37:27 2022, 0x1205a4 type
                          Category:dropped
                          Size (bytes):247037
                          Entropy (8bit):3.4019784321205626
                          Encrypted:false
                          SSDEEP:3072:gSEI0xjd+pA3E8ddYKs9gIOgF5h50aUCgUaZlSyM:gq02pKS9RpDv9TjL
                          MD5:44C5E4DC7B84E1EEF5DF29244B271C27
                          SHA1:76F054DD9BF31FE8CB17FFE421326C28AF893375
                          SHA-256:1C352EF7E0BE54FF750406198547353DD2B134BCE52E6605C50C987F3F4AD49E
                          SHA-512:30CCC4CAB03269F496DB333A2957B14AA03015F1E0F82A95E49BB3BFA4F040D95EF76D7440A4F686A76B3075D81B7D162DD33C9AD901352C05F5BDA8F15C4459
                          Malicious:false
                          Reputation:low
                          Preview:MDMP....... .......7.b............D...............X.......<...$ ......4...VN..........`.......8...........T...........X:..............` ..........L"...................................................................U...........B......."......GenuineIntelW...........T.............b.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2D.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):8502
                          Entropy (8bit):3.70589278952864
                          Encrypted:false
                          SSDEEP:192:Rrl7r3GLNiie6fR6Y4pSU3MNgmfZTMSh+prn89bigsfQ2m:RrlsNiD6J6YmSU3MNgmfdMSlizf4
                          MD5:B93FFA0476A8523EA7DF34EB96EE2D4F
                          SHA1:BE6DDD5F7DF7E5421CCD62548D76F13B32FFF2E0
                          SHA-256:F75D9338A5A536D130B297A9A37474A8891CE23B775F16FD10E7C5BC77BBB149
                          SHA-512:9DE7777D50148CE2CD0CC59EF85DA1C923407DD2A3CE91A0DBCC120E094334106C51286FAB7E73A3A0FCD32A3F333EF3CF8153B9B16D9DD2BFCCE90609B44015
                          Malicious:false
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.2.8.4.<./.P.i.d.>.......

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERFAF.tmp.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4883
                          Entropy (8bit):4.567018892857431
                          Encrypted:false
                          SSDEEP:48:cvIwSD8zsEJgtWI9WgWgc8sqYjlZ8fm8M4J3BiWOwO7FdO+q8vmBiWOwORWpg3Kw:uITfCFZgrsqYJeJ3B4wzKmB4wEx3Rn/d
                          MD5:A322FD3A9820993ECA4082B904DF1248
                          SHA1:F930A289D71CEA987BE5895A52125985CD1BEA46
                          SHA-256:A2ED696871D515B17FE51516D4D6F0BC33CBB524AE1EFE3ADCD905A62DB2589C
                          SHA-512:45C5D16A6FB7FA6E373FBF54BD3AACC136AB28D463545FF98F9E06151A1D1A68C5FABE58DEEA7F352A983D5105F2E34994ECDABDB59A703B5AC29B2FB22D6FDA
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1533648" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\firefox.exe.log

                          Download File
                          Process:C:\Users\user\AppData\Roaming\firefox\firefox.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:modified
                          Size (bytes):42
                          Entropy (8bit):4.0050635535766075
                          Encrypted:false
                          SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                          MD5:84CFDB4B995B1DBF543B26B86C863ADC
                          SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                          SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                          SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                          Malicious:false
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                          C:\Users\user\AppData\Local\Temp\2d_PCX.ico

                          Download File
                          Process:C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exe
                          File Type:MS Windows icon resource - 2 icons, 16x16, 8 bits/pixel, 32x32, 8 bits/pixel
                          Category:dropped
                          Size (bytes):3638
                          Entropy (8bit):4.006295621141125
                          Encrypted:false
                          SSDEEP:48:aGOta08t7E/gbN1pv6ujgtYCOta08t7E/gbN1pv6uOlSKYHqYqzV5j1NuWo4:aGOtJyg4DJtCOtJyg4DMlSKYHqYyVPNL
                          MD5:A47C532994D54721910BD8A3090B38CC
                          SHA1:3280E39B6FA2CF411AAB9DCD094A30B3B37DDA65
                          SHA-256:37E928B01C35FE4EF51DC141A0A84944D25421A51BAC114972954F91F228269F
                          SHA-512:0029B4A24EFC220E744020EF173160708280BC66BD5AB52225335E31B18235DF378DDD2C582A21888C17212E5979F54FA8011803400118A115C10A76EB02BB96
                          Malicious:false
                          Preview:..............h...&... ..............(....... ...........@..................................................................................""".))).UUU.MMM.BBB.999..|..PP........................3...f..........3...33..3f..3...3...3...f...f3..ff..f...f...f........3...f...................3...f..............f.........3...3.3.3.f.3...3...3...33..333.33f.33..33..33..3f..3f3.3ff.3f..3f..3f..3...3.3.3.f.3...3...3...3...3.3.3.f.3..3...3...3.3.3.f.3...3...3...f...f.3.f.f.f...f...f...f3..f33.f3f.f3..f3..f3..ff..ff3.fff.ff..ff..f...f.3.f.f.f...f...f...f...f.3.f..f...f...f...f.3.f...f................3...............33...f..3.......f...f3..3f..f...f...3....3...f...................3.f.f..................3...f...................3...f..........3...33..3f..3...3...3...f...f3..ff..f...f...f......3..f................3...f..................3...f...............3...f......3...33..3f..3...3...3...f...f3..ff..f...f...f........3...f...................3...f..............3...f.........ff..f.f.f....f

                          C:\Users\user\AppData\Roaming\firefox\firefox.exe

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):64616
                          Entropy (8bit):6.037264560032456
                          Encrypted:false
                          SSDEEP:768:J8XcJiMjm2ieHlPyCsSuJbn8dBhFVBSMQ6Iq8TSYDKpgLaDViRLNdr:9YMaNylPYSAb8dBnTHv8DKKaDVkX
                          MD5:6FD7592411112729BF6B1F2F6C34899F
                          SHA1:5E5C839726D6A43C478AB0B95DBF52136679F5EA
                          SHA-256:FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
                          SHA-512:21EFCC9DEE3960F1A64C6D8A44871742558666BB792D77ACE91236C7DBF42A6CA77086918F363C4391D9C00904C55A952E2C18BE5FA1A67A509827BFC630070D
                          Malicious:true
                          Antivirus:
                          • Antivirus: Metadefender, Detection: 0%, Browse
                          • Antivirus: ReversingLabs, Detection: 0%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...xX.Z..............0.............^.... ........@.. ....................... ............`.....................................O.......8...............h>........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

                          C:\Users\user\AppData\Roaming\xj1musnl.dy5\Chrome\Default\Cookies

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3032001
                          Category:dropped
                          Size (bytes):20480
                          Entropy (8bit):0.7006690334145785
                          Encrypted:false
                          SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
                          MD5:A7FE10DA330AD03BF22DC9AC76BBB3E4
                          SHA1:1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
                          SHA-256:8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
                          SHA-512:1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
                          Malicious:false
                          Preview:SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          \Device\ConDrv

                          Download File
                          Process:C:\Users\user\AppData\Roaming\firefox\firefox.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1049
                          Entropy (8bit):4.2989523990568035
                          Encrypted:false
                          SSDEEP:24:z3U3g4DO/0XZd3Wo3opQ5ZKBQFYVgt7ovrNOYlK:zEw4DBXZxo4ABV+SrUYE
                          MD5:970EE6AEAB63008333D1D883327DA660
                          SHA1:A71E19F66886B1888A183BA1777A23FABAE9822E
                          SHA-256:D270D397EB3CF1173D25795834B240466EFEE213E11B1B31CDC101015AFFCAD9
                          SHA-512:EB49AEE1B4524E6F15C08345A380D7D28DC845DEBA5408A7D034F2F7F5A652C8A2E2FF293BFB307DE87DCC2FAA111BA3BE8BEF9C4752A73DE1835DCD844D39BB
                          Malicious:false
                          Preview:Microsoft .NET Framework Assembly Registration Utility version 4.7.3056.0..for Microsoft .NET Framework version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....Syntax: RegAsm AssemblyName [Options]..Options:.. /unregister Unregister types.. /tlb[:FileName] Export the assembly to the specified type library.. and register it.. /regfile[:FileName] Generate a reg file with the specified name.. instead of registering the types. This option.. cannot be used with the /u or /tlb options.. /codebase Set the code base in the registry.. /registered Only refer to already registered type libraries.. /asmpath:Directory Look for assembly references here.. /nologo Prevents RegAsm from displaying logo.. /silent Silent mode. Prevents displaying of success messages.. /verbose Displays extra information..

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):7.478277182957586
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          • Win32 Executable (generic) a (10002005/4) 49.78%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:Halkbank_Ekstre_20220525_103511_102798 (2).exe
                          File size:345088
                          MD5:91b701f0faa2e791ceab8875d57b8701
                          SHA1:61f6fc240b0632720f161a5eb1cdc427a3ebc170
                          SHA256:9e0ff5207d60d3a7717e906eabff7fe2143f63c820e670d6fd98f0a40a393aec
                          SHA512:9a6b1cb99930a9c26a2509b43a20d735afcc6af296540bbe9e5353d4f33088434b55de33b3f779840e8bba583ac52bfa148b9fe94d6233f2cae26ebbee6291c3
                          SSDEEP:6144:y3i3XmJhC2i9+gFkc/aTJteJ8TQqHtg7RHtulU3Q/s9VBCNCTzS2N:y3i3XwC2i9iEBqHkoYQk9Xc1
                          TLSH:D774024863DCAD47D29D0FFB88D142682361D839AB8BE70F6E94921D04343DF9A52B4F
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F..b............................4.... ........@.. ....................................@................................

                          File Icon

                          Icon Hash:c8a2f0f074bc5e06

                          Static PE Info

                          General

                          Entrypoint:0x44d034
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                          Time Stamp:0x628DB046 [Wed May 25 04:27:50 2022 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:v4.0.30319
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x4cfea0x4a.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x4e0000x8dfa.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x580000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x4b03a0x4b200False0.865757591514data7.75452715389IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .rsrc0x4e0000x8dfa0x8e00False0.285128741197data3.80639650782IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x580000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_ICON0x4e08c0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294961151
                          RT_ICON0x522d80x25a8data
                          RT_ICON0x548a40x10a8data
                          RT_ICON0x559700x988data
                          RT_ICON0x5631c0x468GLS_BINARY_LSB_FIRST
                          RT_GROUP_ICON0x567c00x4cdata
                          RT_VERSION0x568480x37cdata
                          RT_MANIFEST0x56c000x1faXML 1.0 document, ASCII text, with very long lines, with no line terminators

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Version Infos

                          DescriptionData
                          LegalCopyright 2011-2022 Pete Batard (GPL v3)
                          InternalNameRufus
                          FileVersion3.18.1877
                          CompanyNameAkeo Consulting
                          LegalTrademarkshttps://www.gnu.org/licenses/gpl-3.0.html
                          Commentshttps://rufus.ie
                          ProductNameRufus
                          ProductVersion3.18.1877
                          FileDescriptionRufus
                          OriginalFilenamerufus-3.18.exe
                          Translation0x0000 0x04b0

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          May 27, 2022 17:37:28.791698933 CEST49758587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:29.054847956 CEST58749758110.173.135.85192.168.2.4
                          May 27, 2022 17:37:29.055025101 CEST49758587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:30.317190886 CEST58749758110.173.135.85192.168.2.4
                          May 27, 2022 17:37:30.317625046 CEST49758587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:30.579428911 CEST58749758110.173.135.85192.168.2.4
                          May 27, 2022 17:37:30.627140999 CEST49758587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:30.896048069 CEST58749758110.173.135.85192.168.2.4
                          May 27, 2022 17:37:31.004213095 CEST49758587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:31.017126083 CEST49758587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:31.303564072 CEST58749758110.173.135.85192.168.2.4
                          May 27, 2022 17:37:31.303601027 CEST58749758110.173.135.85192.168.2.4
                          May 27, 2022 17:37:31.303621054 CEST58749758110.173.135.85192.168.2.4
                          May 27, 2022 17:37:31.303642035 CEST58749758110.173.135.85192.168.2.4
                          May 27, 2022 17:37:31.303649902 CEST49758587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:31.303658962 CEST58749758110.173.135.85192.168.2.4
                          May 27, 2022 17:37:31.303702116 CEST49758587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:31.309731960 CEST58749758110.173.135.85192.168.2.4
                          May 27, 2022 17:37:31.366477013 CEST49758587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:31.626732111 CEST58749758110.173.135.85192.168.2.4
                          May 27, 2022 17:37:31.707359076 CEST49758587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:31.809731960 CEST49758587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:32.069454908 CEST58749758110.173.135.85192.168.2.4
                          May 27, 2022 17:37:32.163702965 CEST49758587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:32.424072981 CEST58749758110.173.135.85192.168.2.4
                          May 27, 2022 17:37:32.425036907 CEST49758587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:32.690483093 CEST58749758110.173.135.85192.168.2.4
                          May 27, 2022 17:37:32.691478014 CEST49758587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:32.951251984 CEST58749758110.173.135.85192.168.2.4
                          May 27, 2022 17:37:32.951808929 CEST49758587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:33.234618902 CEST58749758110.173.135.85192.168.2.4
                          May 27, 2022 17:37:33.258338928 CEST49758587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:33.518134117 CEST58749758110.173.135.85192.168.2.4
                          May 27, 2022 17:37:33.519098043 CEST49758587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:33.519249916 CEST49758587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:33.519964933 CEST49758587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:33.520773888 CEST49758587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:33.778630972 CEST58749758110.173.135.85192.168.2.4
                          May 27, 2022 17:37:33.778671026 CEST58749758110.173.135.85192.168.2.4
                          May 27, 2022 17:37:33.779035091 CEST58749758110.173.135.85192.168.2.4
                          May 27, 2022 17:37:33.779928923 CEST58749758110.173.135.85192.168.2.4
                          May 27, 2022 17:37:33.797013044 CEST58749758110.173.135.85192.168.2.4
                          May 27, 2022 17:37:33.895137072 CEST49758587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:34.893861055 CEST49758587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:35.192838907 CEST58749758110.173.135.85192.168.2.4
                          May 27, 2022 17:37:35.670054913 CEST58749758110.173.135.85192.168.2.4
                          May 27, 2022 17:37:35.683948040 CEST49758587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:35.741767883 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:36.001494884 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:36.001614094 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:36.512365103 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:36.521183014 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:36.781204939 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:36.781443119 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:37.045120001 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:37.057574987 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:37.328577995 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:37.328605890 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:37.328618050 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:37.328632116 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:37.328644991 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:37.328861952 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:37.332777023 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:37.335592985 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:37.595478058 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:37.599920034 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:37.859627008 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:37.860196114 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:38.120975971 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:38.125422001 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:38.390629053 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:38.394515038 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:38.654273987 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:38.707931995 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:38.942825079 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:39.212887049 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:39.395549059 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:39.799721003 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:40.059518099 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:40.088898897 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:40.089103937 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:40.089250088 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:40.089396954 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:40.089610100 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:40.089744091 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:40.089849949 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:40.089955091 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:37:40.355950117 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:40.355974913 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:40.355987072 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:40.356039047 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:40.356164932 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:40.356235981 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:40.356273890 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:40.356355906 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:40.367314100 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:37:40.505058050 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:39:08.330204010 CEST49762587192.168.2.4110.173.135.85
                          May 27, 2022 17:39:08.629039049 CEST58749762110.173.135.85192.168.2.4
                          May 27, 2022 17:39:09.144968033 CEST58749762110.173.135.85192.168.2.4

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          May 27, 2022 17:37:28.318325043 CEST6050653192.168.2.48.8.8.8
                          May 27, 2022 17:37:28.722477913 CEST53605068.8.8.8192.168.2.4
                          May 27, 2022 17:37:35.719588041 CEST6075853192.168.2.48.8.8.8
                          May 27, 2022 17:37:35.737097979 CEST53607588.8.8.8192.168.2.4

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                          May 27, 2022 17:37:28.318325043 CEST192.168.2.48.8.8.80xe338Standard query (0)mail.gowiththegecko.com.auA (IP address)IN (0x0001)
                          May 27, 2022 17:37:35.719588041 CEST192.168.2.48.8.8.80x9d0aStandard query (0)mail.gowiththegecko.com.auA (IP address)IN (0x0001)

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                          May 27, 2022 17:37:28.722477913 CEST8.8.8.8192.168.2.40xe338No error (0)mail.gowiththegecko.com.au110.173.135.85A (IP address)IN (0x0001)
                          May 27, 2022 17:37:35.737097979 CEST8.8.8.8192.168.2.40x9d0aNo error (0)mail.gowiththegecko.com.au110.173.135.85A (IP address)IN (0x0001)

                          SMTP Packets

                          TimestampSource PortDest PortSource IPDest IPCommands
                          May 27, 2022 17:37:30.317190886 CEST58749758110.173.135.85192.168.2.4220-v90894.dpvps.com.au ESMTP Exim 4.95 #2 Sat, 28 May 2022 01:37:30 +1000
                          220-We do not authorize the use of this system to transport unsolicited,
                          220 and/or bulk e-mail.
                          May 27, 2022 17:37:30.317625046 CEST49758587192.168.2.4110.173.135.85EHLO 921702
                          May 27, 2022 17:37:30.579428911 CEST58749758110.173.135.85192.168.2.4250-v90894.dpvps.com.au Hello 921702 [102.129.143.42]
                          250-SIZE 52428800
                          250-8BITMIME
                          250-PIPELINING
                          250-PIPE_CONNECT
                          250-STARTTLS
                          250 HELP
                          May 27, 2022 17:37:30.627140999 CEST49758587192.168.2.4110.173.135.85STARTTLS
                          May 27, 2022 17:37:30.896048069 CEST58749758110.173.135.85192.168.2.4220 TLS go ahead
                          May 27, 2022 17:37:36.512365103 CEST58749762110.173.135.85192.168.2.4220-v90894.dpvps.com.au ESMTP Exim 4.95 #2 Sat, 28 May 2022 01:37:36 +1000
                          220-We do not authorize the use of this system to transport unsolicited,
                          220 and/or bulk e-mail.
                          May 27, 2022 17:37:36.521183014 CEST49762587192.168.2.4110.173.135.85EHLO 921702
                          May 27, 2022 17:37:36.781204939 CEST58749762110.173.135.85192.168.2.4250-v90894.dpvps.com.au Hello 921702 [102.129.143.42]
                          250-SIZE 52428800
                          250-8BITMIME
                          250-PIPELINING
                          250-PIPE_CONNECT
                          250-STARTTLS
                          250 HELP
                          May 27, 2022 17:37:36.781443119 CEST49762587192.168.2.4110.173.135.85STARTTLS
                          May 27, 2022 17:37:37.045120001 CEST58749762110.173.135.85192.168.2.4220 TLS go ahead

                          Statistics

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:17:37:03
                          Start date:27/05/2022
                          Path:C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\Halkbank_Ekstre_20220525_103511_102798 (2).exe"
                          Imagebase:0x760000
                          File size:345088 bytes
                          MD5 hash:91B701F0FAA2E791CEAB8875D57B8701
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.306509807.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.306509807.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000000.275002773.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000000.275002773.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000000.288517970.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000000.288517970.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low

                          General

                          Target ID:1
                          Start time:17:37:04
                          Start date:27/05/2022
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          Imagebase:0x580000
                          File size:64616 bytes
                          MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.257294583.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.257294583.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.255656425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.255656425.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.256552993.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.256552993.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.773543495.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.773543495.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.257741939.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.257741939.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.775664989.0000000002841000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.775664989.0000000002841000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high

                          General

                          Target ID:8
                          Start time:17:37:24
                          Start date:27/05/2022
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1304
                          Imagebase:0xa80000
                          File size:434592 bytes
                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:9
                          Start time:17:37:24
                          Start date:27/05/2022
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1304
                          Imagebase:0xa80000
                          File size:434592 bytes
                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Reputation:high

                          General

                          Target ID:17
                          Start time:17:37:38
                          Start date:27/05/2022
                          Path:C:\Users\user\AppData\Roaming\firefox\firefox.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Roaming\firefox\firefox.exe"
                          Imagebase:0xf80000
                          File size:64616 bytes
                          MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Antivirus matches:
                          • Detection: 0%, Metadefender, Browse
                          • Detection: 0%, ReversingLabs
                          Reputation:high

                          General

                          Target ID:18
                          Start time:17:37:41
                          Start date:27/05/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff647620000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Disassembly

                          No disassembly