Loading ...

Play interactive tourEdit tour

Windows Analysis Report Ziraat Bankasi Swift Mesaji.exe

Overview

General Information

Sample Name:Ziraat Bankasi Swift Mesaji.exe
Analysis ID:553162
MD5:bb5ab5b4895da7f1eddbaf67d7fe6067
SHA1:8fcfc099505b7d825f8176af5d2a0dedfd7f39f2
SHA256:c274f37d52a6ef7300164ed5c964426b853c7cd3938310a10211439a4b5413ba
Tags:exeFormbookgeoTURZiraatBank
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • Ziraat Bankasi Swift Mesaji.exe (PID: 2940 cmdline: "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe" MD5: BB5AB5B4895DA7F1EDDBAF67D7FE6067)
    • Ziraat Bankasi Swift Mesaji.exe (PID: 4652 cmdline: "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe" MD5: BB5AB5B4895DA7F1EDDBAF67D7FE6067)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • colorcpl.exe (PID: 4552 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
          • cmd.exe (PID: 6256 cmdline: /c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • explorer.exe (PID: 6468 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 728 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.freedomwoofpackcom.com/a0p6/"], "decoy": ["taxlaws.info", "porn-star-depot.com", "cpf-comptes.com", "metropark.xyz", "transformselfhypnosis.com", "wu8g8aerxgjr.xyz", "jingzhouhan.net", "granicors.com", "monografiaonline.com", "4972hillcrestdrive.com", "gridironagriculturist.com", "xtrasomething.com", "scbndirects.com", "agglutinatesmicromanagers.xyz", "butsuyokulog.xyz", "parttimejobsinuk.site", "kriylzf.xyz", "sinashakib.com", "hpessoa.website", "interscopealbums.com", "bathandlicious.com", "jrowlandmarketing.com", "okforbk.com", "xjbyctc.com", "vitospark.com", "threewisewords.com", "antonioloiodice.com", "fastvpnreward.com", "baamusa.com", "yanatransportationsrvs.net", "ol0vdw.xyz", "climbingtreehollow.com", "barterlinealarmselect.com", "integrant.xyz", "nepalgci.com", "wu8j3tx49l5a.xyz", "surpmel.xyz", "autocarbying101.com", "otakusofneverland.com", "pawsitiveclosings.com", "h9220.com", "newshaiya.com", "progressiveprizes.com", "groovybingo.com", "iconuncle.com", "icon-club-dxb.com", "ruokanetti.com", "cooperjss.com", "governorperdue.com", "brfujdersomngreqt.com", "bcubnk.com", "digitalmedicinetechnologies.com", "logiqtrading.com", "anti-tfboys.com", "aterliercarbon.com", "wesovereign.com", "wein-quadrat.com", "www37118.com", "morethanalittlemarley.com", "coslogenex.com", "bondic-listjournal.com", "choicesidownloadnv.com", "ys688.xyz", "nftrack.xyz"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.436846842.0000000000490000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.436846842.0000000000490000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18849:$sqlite3step: 68 34 1C 7B E1
        • 0x1895c:$sqlite3step: 68 34 1C 7B E1
        • 0x18878:$sqlite3text: 68 38 2A 90 C5
        • 0x1899d:$sqlite3text: 68 38 2A 90 C5
        • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
        3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 28 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.freedomwoofpackcom.com/a0p6/"], "decoy": ["taxlaws.info", "porn-star-depot.com", "cpf-comptes.com", "metropark.xyz", "transformselfhypnosis.com", "wu8g8aerxgjr.xyz", "jingzhouhan.net", "granicors.com", "monografiaonline.com", "4972hillcrestdrive.com", "gridironagriculturist.com", "xtrasomething.com", "scbndirects.com", "agglutinatesmicromanagers.xyz", "butsuyokulog.xyz", "parttimejobsinuk.site", "kriylzf.xyz", "sinashakib.com", "hpessoa.website", "interscopealbums.com", "bathandlicious.com", "jrowlandmarketing.com", "okforbk.com", "xjbyctc.com", "vitospark.com", "threewisewords.com", "antonioloiodice.com", "fastvpnreward.com", "baamusa.com", "yanatransportationsrvs.net", "ol0vdw.xyz", "climbingtreehollow.com", "barterlinealarmselect.com", "integrant.xyz", "nepalgci.com", "wu8j3tx49l5a.xyz", "surpmel.xyz", "autocarbying101.com", "otakusofneverland.com", "pawsitiveclosings.com", "h9220.com", "newshaiya.com", "progressiveprizes.com", "groovybingo.com", "iconuncle.com", "icon-club-dxb.com", "ruokanetti.com", "cooperjss.com", "governorperdue.com", "brfujdersomngreqt.com", "bcubnk.com", "digitalmedicinetechnologies.com", "logiqtrading.com", "anti-tfboys.com", "aterliercarbon.com", "wesovereign.com", "wein-quadrat.com", "www37118.com", "morethanalittlemarley.com", "coslogenex.com", "bondic-listjournal.com", "choicesidownloadnv.com", "ys688.xyz", "nftrack.xyz"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Ziraat Bankasi Swift Mesaji.exeReversingLabs: Detection: 32%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436846842.0000000000490000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.412084086.000000000F0C5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.377484332.0000000003050000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.647118949.0000000000880000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.374508026.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.375573868.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436931041.00000000004C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.649679782.00000000010F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436115346.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.649486951.00000000010C0000.00000040.00020000.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: Ziraat Bankasi Swift Mesaji.exeJoe Sandbox ML: detected
          Source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 11.2.colorcpl.exe.4def840.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 19.0.explorer.exe.bacf840.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 11.2.colorcpl.exe.b02338.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 33.2.explorer.exe.c07f840.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: Ziraat Bankasi Swift Mesaji.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 00000021.00000002.671936915.00007FFD77A61000.00000020.00020000.sdmp
          Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 00000021.00000002.671936915.00007FFD77A61000.00000020.00020000.sdmp
          Source: Binary string: colorcpl.pdbGCTL source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.443717751.0000000002690000.00000040.00020000.sdmp
          Source: Binary string: colorcpl.pdb source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.443717751.0000000002690000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Ziraat Bankasi Swift Mesaji.exe, 00000001.00000003.373865869.0000000003220000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000001.00000003.369473393.0000000003090000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000003.378024308.00000000008D0000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.439246508.0000000000A70000.00000040.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.439988472.0000000000B8F000.00000040.00000001.sdmp, colorcpl.exe, 0000000B.00000002.651505776.00000000048C0000.00000040.00000001.sdmp, colorcpl.exe, 0000000B.00000002.653152419.00000000049DF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Ziraat Bankasi Swift Mesaji.exe, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000003.378024308.00000000008D0000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.439246508.0000000000A70000.00000040.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.439988472.0000000000B8F000.00000040.00000001.sdmp, colorcpl.exe, colorcpl.exe, 0000000B.00000002.651505776.00000000048C0000.00000040.00000001.sdmp, colorcpl.exe, 0000000B.00000002.653152419.00000000049DF000.00000040.00000001.sdmp
          Source: Binary string: eex.pdb source: explorer.exe, 00000021.00000002.671936915.00007FFD77A61000.00000020.00020000.sdmp
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_00405D7C FindFirstFileA,FindClose,1_2_00405D7C
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_004053AA
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_00402630 FindFirstFileA,1_2_00402630
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 4x nop then pop esi3_2_0041731D
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 4x nop then pop ebx3_2_00407B25
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 4x nop then pop edi3_2_0040E47F
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop esi11_2_0089731D
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop ebx11_2_00887B25
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop edi11_2_0088E47F

          Networking:

          barindex
          Performs DNS queries to domains with low reputationShow sources
          Source: DNS query: www.ys688.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.freedomwoofpackcom.com/a0p6/
          Source: unknownDNS traffic detected: query: www.ys688.xyz replaycode: Name error (3)
          Source: explorer.exe, 00000021.00000002.672058340.00007FFD77B49000.00000002.00020000.sdmpString found in binary or memory: http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov
          Source: explorer.exe, 00000021.00000002.672058340.00007FFD77B49000.00000002.00020000.sdmpString found in binary or memory: http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro
          Source: explorer.exe, 00000013.00000000.603040111.0000000007341000.00000004.00000001.sdmp, explorer.exe, 00000013.00000000.541707510.00000000073BD000.00000004.00000001.sdmp, explorer.exe, 00000013.00000003.542503961.00000000073BD000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: Ziraat Bankasi Swift Mesaji.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: Ziraat Bankasi Swift Mesaji.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.autocarbying101.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.autocarbying101.com/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.autocarbying101.com/a0p6/www.progressiveprizes.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.autocarbying101.comReferer:
          Source: explorer.exe, 00000005.00000000.380852977.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.396097413.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.416041190.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.barterlinealarmselect.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.barterlinealarmselect.com/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.barterlinealarmselect.com/a0p6/www.autocarbying101.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.barterlinealarmselect.comReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.digitalmedicinetechnologies.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.digitalmedicinetechnologies.com/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.digitalmedicinetechnologies.comReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.fastvpnreward.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.fastvpnreward.com/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.fastvpnreward.com/a0p6/www.digitalmedicinetechnologies.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.fastvpnreward.comReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.freedomwoofpackcom.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.freedomwoofpackcom.com/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.freedomwoofpackcom.com/a0p6/www.taxlaws.info
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.freedomwoofpackcom.comReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.gridironagriculturist.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.gridironagriculturist.com/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.gridironagriculturist.com/a0p6/www.hpessoa.website
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.gridironagriculturist.comReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.hpessoa.website
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.hpessoa.website/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.hpessoa.website/a0p6/www.freedomwoofpackcom.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.hpessoa.websiteReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.pawsitiveclosings.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.pawsitiveclosings.com/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.pawsitiveclosings.com/a0p6/www.ruokanetti.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.pawsitiveclosings.comReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.progressiveprizes.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.progressiveprizes.com/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.progressiveprizes.com/a0p6/www.fastvpnreward.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.progressiveprizes.comReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.ruokanetti.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.ruokanetti.com/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.ruokanetti.com/a0p6/www.barterlinealarmselect.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.ruokanetti.comReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.surpmel.xyz
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.surpmel.xyz/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.surpmel.xyz/a0p6/www.pawsitiveclosings.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.surpmel.xyzReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.taxlaws.info
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.taxlaws.info/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.taxlaws.info/a0p6/www.wu8g8aerxgjr.xyz
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.taxlaws.infoReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.transformselfhypnosis.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.transformselfhypnosis.com/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.transformselfhypnosis.com/a0p6/www.www37118.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.transformselfhypnosis.comReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.wu8g8aerxgjr.xyz
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.wu8g8aerxgjr.xyz/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.wu8g8aerxgjr.xyz/a0p6/www.surpmel.xyz
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.wu8g8aerxgjr.xyzReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.www37118.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.www37118.com/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.www37118.com/a0p6/www.gridironagriculturist.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.www37118.comReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.ys688.xyz
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.ys688.xyz/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.ys688.xyz/a0p6/www.transformselfhypnosis.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.ys688.xyzReferer:
          Source: unknownDNS traffic detected: queries for: www.ys688.xyz
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,1_2_00404F61

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436846842.0000000000490000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.412084086.000000000F0C5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.377484332.0000000003050000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.647118949.0000000000880000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.374508026.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.375573868.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436931041.00000000004C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.649679782.00000000010F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436115346.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.649486951.00000000010C0000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.436846842.0000000000490000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.436846842.0000000000490000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.412084086.000000000F0C5000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.412084086.000000000F0C5000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.377484332.0000000003050000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.377484332.0000000003050000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.647118949.0000000000880000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.647118949.0000000000880000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.374508026.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.374508026.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.375573868.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.375573868.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.436931041.00000000004C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.436931041.00000000004C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.649679782.00000000010F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.649679782.00000000010F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.436115346.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.436115346.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.649486951.00000000010C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.649486951.00000000010C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Ziraat Bankasi Swift Mesaji.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.436846842.0000000000490000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.436846842.0000000000490000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.412084086.000000000F0C5000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.412084086.000000000F0C5000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.377484332.0000000003050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.377484332.0000000003050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.647118949.0000000000880000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.647118949.0000000000880000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.374508026.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.374508026.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.375573868.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.375573868.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.436931041.00000000004C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.436931041.00000000004C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.649679782.00000000010F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.649679782.00000000010F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.436115346.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.436115346.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.649486951.00000000010C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.649486951.00000000010C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,1_2_00403225
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_0040604C1_2_0040604C
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_004047721_2_00404772
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041E8F63_2_0041E8F6
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041E5C13_2_0041E5C1
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00402D873_2_00402D87
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00409E5B3_2_00409E5B
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00409E603_2_00409E60
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041D70D3_2_0041D70D
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC20A03_2_00AC20A0
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B620A83_2_00B620A8
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AAB0903_2_00AAB090
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B628EC3_2_00B628EC
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B6E8243_2_00B6E824
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B510023_2_00B51002
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AB41203_2_00AB4120
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A9F9003_2_00A9F900
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B622AE3_2_00B622AE
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00ACEBB03_2_00ACEBB0
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B5DBD23_2_00B5DBD2
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F841F11_2_048F841F
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049AD46611_2_049AD466
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491258111_2_04912581
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B25DD11_2_049B25DD
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048FD5E011_2_048FD5E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B2D0711_2_049B2D07
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E0D2011_2_048E0D20
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B1D5511_2_049B1D55
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B2EF711_2_049B2EF7
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049AD61611_2_049AD616
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04906E3011_2_04906E30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049BDFCE11_2_049BDFCE
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B1FF111_2_049B1FF1
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048FB09011_2_048FB090
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049120A011_2_049120A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B20A811_2_049B20A8
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B28EC11_2_049B28EC
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A100211_2_049A1002
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490A83011_2_0490A830
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049BE82411_2_049BE824
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049099BF11_2_049099BF
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048EF90011_2_048EF900
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490412011_2_04904120
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B22AE11_2_049B22AE
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0499FA2B11_2_0499FA2B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491EBB011_2_0491EBB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A03DA11_2_049A03DA
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049ADBD211_2_049ADBD2
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B2B2811_2_049B2B28
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490AB4011_2_0490AB40
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089E8F611_2_0089E8F6
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_00882D8711_2_00882D87
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_00882D9011_2_00882D90
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089E5C111_2_0089E5C1
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_00889E5B11_2_00889E5B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_00889E6011_2_00889E60
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_00882FB011_2_00882FB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089D70D11_2_0089D70D
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 048EB150 appears 72 times
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041A360 NtCreateFile,3_2_0041A360
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041A410 NtReadFile,3_2_0041A410
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041A490 NtClose,3_2_0041A490
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041A540 NtAllocateVirtualMemory,3_2_0041A540
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041A35E NtCreateFile,3_2_0041A35E
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041A3BA NtCreateFile,3_2_0041A3BA
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041A40A NtReadFile,3_2_0041A40A
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041A48D NtClose,3_2_0041A48D
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041A53A NtAllocateVirtualMemory,3_2_0041A53A
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD98F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_00AD98F0
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9860 NtQuerySystemInformation,LdrInitializeThunk,3_2_00AD9860
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9840 NtDelayExecution,LdrInitializeThunk,3_2_00AD9840
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD99A0 NtCreateSection,LdrInitializeThunk,3_2_00AD99A0
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_00AD9910
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9A20 NtResumeThread,LdrInitializeThunk,3_2_00AD9A20
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_00AD9A00
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9A50 NtCreateFile,LdrInitializeThunk,3_2_00AD9A50
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD95D0 NtClose,LdrInitializeThunk,3_2_00AD95D0
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9540 NtReadFile,LdrInitializeThunk,3_2_00AD9540
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD96E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_00AD96E0
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_00AD9660
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD97A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_00AD97A0
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9780 NtMapViewOfSection,LdrInitializeThunk,3_2_00AD9780
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9710 NtQueryInformationToken,LdrInitializeThunk,3_2_00AD9710
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD98A0 NtWriteVirtualMemory,3_2_00AD98A0
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9820 NtEnumerateKey,3_2_00AD9820
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00ADB040 NtSuspendThread,3_2_00ADB040
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD99D0 NtCreateProcessEx,3_2_00AD99D0
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9950 NtQueueApcThread,3_2_00AD9950
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9A80 NtOpenDirectoryObject,3_2_00AD9A80
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9A10 NtQuerySection,3_2_00AD9A10
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00ADA3B0 NtGetContextThread,3_2_00ADA3B0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049295D0 NtClose,LdrInitializeThunk,11_2_049295D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929540 NtReadFile,LdrInitializeThunk,11_2_04929540
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049296D0 NtCreateKey,LdrInitializeThunk,11_2_049296D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049296E0 NtFreeVirtualMemory,LdrInitializeThunk,11_2_049296E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929650 NtQueryValueKey,LdrInitializeThunk,11_2_04929650
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929660 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_04929660
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929780 NtMapViewOfSection,LdrInitializeThunk,11_2_04929780
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929FE0 NtCreateMutant,LdrInitializeThunk,11_2_04929FE0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929710 NtQueryInformationToken,LdrInitializeThunk,11_2_04929710
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929840 NtDelayExecution,LdrInitializeThunk,11_2_04929840
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929860 NtQuerySystemInformation,LdrInitializeThunk,11_2_04929860
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049299A0 NtCreateSection,LdrInitializeThunk,11_2_049299A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929910 NtAdjustPrivilegesToken,LdrInitializeThunk,11_2_04929910
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929A50 NtCreateFile,LdrInitializeThunk,11_2_04929A50
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049295F0 NtQueryInformationFile,11_2_049295F0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0492AD30 NtSetContextThread,11_2_0492AD30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929520 NtWaitForSingleObject,11_2_04929520
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929560 NtWriteFile,11_2_04929560
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929610 NtEnumerateValueKey,11_2_04929610
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929670 NtQueryInformationProcess,11_2_04929670
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049297A0 NtUnmapViewOfSection,11_2_049297A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0492A710 NtOpenProcessToken,11_2_0492A710
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929730 NtQueryVirtualMemory,11_2_04929730
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0492A770 NtOpenThread,11_2_0492A770
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929770 NtSetInformationFile,11_2_04929770
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929760 NtOpenProcess,11_2_04929760
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049298A0 NtWriteVirtualMemory,11_2_049298A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049298F0 NtReadVirtualMemory,11_2_049298F0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929820 NtEnumerateKey,11_2_04929820
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0492B040 NtSuspendThread,11_2_0492B040
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049299D0 NtCreateProcessEx,11_2_049299D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929950 NtQueueApcThread,11_2_04929950
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929A80 NtOpenDirectoryObject,11_2_04929A80
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929A10 NtQuerySection,11_2_04929A10
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929A00 NtProtectVirtualMemory,11_2_04929A00
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929A20 NtResumeThread,11_2_04929A20
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0492A3B0 NtGetContextThread,11_2_0492A3B0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929B00 NtSetValueKey,11_2_04929B00
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089A360 NtCreateFile,11_2_0089A360
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089A490 NtClose,11_2_0089A490
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089A410 NtReadFile,11_2_0089A410
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089A540 NtAllocateVirtualMemory,11_2_0089A540
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089A3BA NtCreateFile,11_2_0089A3BA
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089A35E NtCreateFile,11_2_0089A35E
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089A48D NtClose,11_2_0089A48D
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089A40A NtReadFile,11_2_0089A40A
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089A53A NtAllocateVirtualMemory,11_2_0089A53A
          Source: Ziraat Bankasi Swift Mesaji.exe, 00000001.00000003.375809880.00000000031A6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ziraat Bankasi Swift Mesaji.exe
          Source: Ziraat Bankasi Swift Mesaji.exe, 00000001.00000003.375154448.000000000333F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ziraat Bankasi Swift Mesaji.exe
          Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.443501149.0000000000D1F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ziraat Bankasi Swift Mesaji.exe
          Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.439988472.0000000000B8F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ziraat Bankasi Swift Mesaji.exe
          Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.443727623.0000000002693000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamecolorcpl.exej% vs Ziraat Bankasi Swift Mesaji.exe
          Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000003.378375869.00000000009EF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ziraat Bankasi Swift Mesaji.exe
          Source: Ziraat Bankasi Swift Mesaji.exeReversingLabs: Detection: 32%
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile read: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeJump to behavior
          Source: Ziraat Bankasi Swift Mesaji.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
          Source: unknownProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe" Jump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.dbJump to behavior
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile created: C:\Users\user\AppData\Local\Temp\nsrE09F.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/4@1/0
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_00402012 CoCreateInstance,MultiByteToWideChar,1_2_00402012
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,1_2_00404275
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_01
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\explorer.exe
          Source: unknownProcess created: C:\Windows\explorer.exe
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 00000021.00000002.671936915.00007FFD77A61000.00000020.00020000.sdmp
          Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 00000021.00000002.671936915.00007FFD77A61000.00000020.00020000.sdmp
          Source: Binary string: colorcpl.pdbGCTL source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.443717751.0000000002690000.00000040.00020000.sdmp
          Source: Binary string: colorcpl.pdb source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.443717751.0000000002690000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Ziraat Bankasi Swift Mesaji.exe, 00000001.00000003.373865869.0000000003220000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000001.00000003.369473393.0000000003090000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000003.378024308.00000000008D0000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.439246508.0000000000A70000.00000040.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.439988472.0000000000B8F000.00000040.00000001.sdmp, colorcpl.exe, 0000000B.00000002.651505776.00000000048C0000.00000040.00000001.sdmp, colorcpl.exe, 0000000B.00000002.653152419.00000000049DF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Ziraat Bankasi Swift Mesaji.exe, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000003.378024308.00000000008D0000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.439246508.0000000000A70000.00000040.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.439988472.0000000000B8F000.00000040.00000001.sdmp, colorcpl.exe, colorcpl.exe, 0000000B.00000002.651505776.00000000048C0000.00000040.00000001.sdmp, colorcpl.exe, 0000000B.00000002.653152419.00000000049DF000.00000040.00000001.sdmp
          Source: Binary string: eex.pdb source: explorer.exe, 00000021.00000002.671936915.00007FFD77A61000.00000020.00020000.sdmp
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_73861000 push eax; ret 1_2_7386102E
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041783C push A2EB2E12h; retf 3_2_00417849
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041E256 push ss; ret 3_2_0041E265
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041EA28 push esi; ret 3_2_0041EA30
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00416AF9 push edx; retf 3_2_00416AFE
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00416A85 push ebx; retf 3_2_00416ABD
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041D4B5 push eax; ret 3_2_0041D508
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041D56C push eax; ret 3_2_0041D572
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041D502 push eax; ret 3_2_0041D508
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041D50B push eax; ret 3_2_0041D572
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041870B push edx; iretd 3_2_0041870C
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041D70D push edx; ret 3_2_0041DA90
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AED0D1 push ecx; ret 3_2_00AED0E4
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0493D0D1 push ecx; ret 11_2_0493D0E4
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089783C push A2EB2E12h; retf 11_2_00897849
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_00896A85 push ebx; retf 11_2_00896ABD
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_00896AF9 push edx; retf 11_2_00896AFE
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089EA28 push esi; ret 11_2_0089EA30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089E256 push ss; ret 11_2_0089E265
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089D4B5 push eax; ret 11_2_0089D508
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089D50B push eax; ret 11_2_0089D572
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089D502 push eax; ret 11_2_0089D508
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089D56C push eax; ret 11_2_0089D572
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089870B push edx; iretd 11_2_0089870C
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089D70D push edx; ret 11_2_0089DA90
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,1_2_00405DA3
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile created: C:\Users\user\AppData\Local\Temp\nsrE0A1.tmp\kiicqtduhx.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: /c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: /c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"Jump to behavior
          Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 0000000000889904 second address: 000000000088990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 0000000000889B7E second address: 0000000000889B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00409AB0 rdtsc 3_2_00409AB0
          Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeAPI coverage: 8.4 %
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_00405D7C FindFirstFileA,FindClose,1_2_00405D7C
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_004053AA
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_00402630 FindFirstFileA,1_2_00402630
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeAPI call chain: ExitProcess graph end nodegraph_1-3600
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeAPI call chain: ExitProcess graph end nodegraph_1-3599
          Source: explorer.exe, 00000013.00000003.590614314.000000000FD9A000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}neer
          Source: explorer.exe, 00000005.00000000.425513181.00000000083E9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000013.00000003.535674507.0000000006A27000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000021.00000002.665822941.000000000957C000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000OW
          Source: explorer.exe, 00000013.00000003.590983457.0000000006C46000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000013.00000003.565805806.0000000006BBC000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BeN
          Source: explorer.exe, 00000005.00000000.420968283.0000000006410000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000021.00000002.666401363.0000000009754000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000013.00000003.584991409.0000000006A45000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000013.00000000.603040111.0000000007341000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}57
          Source: explorer.exe, 00000021.00000002.665913010.00000000095F7000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000r:
          Source: explorer.exe, 00000013.00000003.545751829.0000000006B7F000.00000004.00000001.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}b}
          Source: explorer.exe, 00000013.00000000.536102345.000000000697D000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000370N%\
          Source: explorer.exe, 00000013.00000003.544843845.0000000006B94000.00000004.00000001.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00'_
          Source: explorer.exe, 00000013.00000003.593585088.000000000FD85000.00000004.00000001.sdmpBinary or memory string: 00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000013.00000003.588709134.000000000FCC0000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}/3K
          Source: explorer.exe, 00000013.00000003.593310949.000000000FD85000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yt
          Source: explorer.exe, 00000013.00000003.562362034.000000000FCBB000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+7O
          Source: explorer.exe, 00000005.00000000.424457777.00000000082E2000.00000004.00000001.sdmpBinary or memory string: c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&+
          Source: explorer.exe, 00000013.00000000.602440774.0000000006B2E000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00CE
          Source: explorer.exe, 00000013.00000000.536102345.000000000697D000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000~
          Source: explorer.exe, 00000013.00000003.535674507.0000000006A27000.00000004.00000001.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000013.00000003.592381868.000000000FD85000.00000004.00000001.sdmpBinary or memory string: 00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Users
          Source: explorer.exe, 00000013.00000000.602440774.0000000006B2E000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000013.00000000.568908450.000000000FCC0000.00000004.00000001.sdmpBinary or memory string: \?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000021.00000002.665438809.0000000009480000.00000004.00000001.sdmpBinary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000013.00000003.590983457.0000000006C46000.00000004.00000001.sdmpBinary or memory string: 63}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000013.00000003.553939027.000000000FCBB000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G4
          Source: explorer.exe, 00000013.00000000.602950824.00000000072F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}}
          Source: explorer.exe, 00000013.00000003.593310949.000000000FD85000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},tE
          Source: explorer.exe, 00000013.00000003.562362034.000000000FCBB000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(6N
          Source: explorer.exe, 00000021.00000002.666014023.0000000009676000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}{
          Source: explorer.exe, 00000013.00000003.562362034.000000000FCBB000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}x3
          Source: explorer.exe, 00000013.00000003.544843845.0000000006B94000.00000004.00000001.sdmpBinary or memory string: #cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000021.00000002.647185612.0000000001378000.00000004.00000020.sdmpBinary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}9:
          Source: explorer.exe, 00000005.00000000.416041190.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: explorer.exe, 00000013.00000003.588709134.000000000FCC0000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}x3
          Source: explorer.exe, 00000013.00000003.593585088.000000000FD85000.00000004.00000001.sdmpBinary or memory string: 630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}PackagesB
          Source: explorer.exe, 00000013.00000000.536102345.000000000697D000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Z
          Source: explorer.exe, 00000021.00000002.665870216.0000000009596000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000[
          Source: explorer.exe, 00000013.00000003.544843845.0000000006B94000.00000004.00000001.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00
          Source: explorer.exe, 00000013.00000003.562362034.000000000FCBB000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D7
          Source: explorer.exe, 00000013.00000003.591014153.000000000FD99000.00000004.00000001.sdmpBinary or memory string: 63}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}H1
          Source: explorer.exe, 00000013.00000003.544843845.0000000006B94000.00000004.00000001.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00
          Source: explorer.exe, 00000013.00000003.601967435.0000000006C45000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}soft.Windows.ContentDeliveryManager_cw5n1h2txyewy
          Source: explorer.exe, 00000013.00000003.588709134.000000000FCC0000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}!1E
          Source: explorer.exe, 00000013.00000003.592190476.000000000FD9A000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}H1
          Source: explorer.exe, 00000013.00000000.603040111.0000000007341000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}/
          Source: explorer.exe, 00000013.00000003.593294091.0000000006C45000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bo
          Source: explorer.exe, 00000013.00000003.546030446.0000000006BBC000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`N
          Source: explorer.exe, 00000013.00000003.545122290.0000000006B7E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 00000013.00000003.592190476.000000000FD9A000.000