Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Ziraat Bankasi Swift Mesaji.exe

Overview

General Information

Sample Name:Ziraat Bankasi Swift Mesaji.exe
Analysis ID:553162
MD5:bb5ab5b4895da7f1eddbaf67d7fe6067
SHA1:8fcfc099505b7d825f8176af5d2a0dedfd7f39f2
SHA256:c274f37d52a6ef7300164ed5c964426b853c7cd3938310a10211439a4b5413ba
Tags:exeFormbookgeoTURZiraatBank
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • Ziraat Bankasi Swift Mesaji.exe (PID: 2940 cmdline: "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe" MD5: BB5AB5B4895DA7F1EDDBAF67D7FE6067)
    • Ziraat Bankasi Swift Mesaji.exe (PID: 4652 cmdline: "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe" MD5: BB5AB5B4895DA7F1EDDBAF67D7FE6067)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • colorcpl.exe (PID: 4552 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
          • cmd.exe (PID: 6256 cmdline: /c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • explorer.exe (PID: 6468 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • explorer.exe (PID: 728 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.freedomwoofpackcom.com/a0p6/"], "decoy": ["taxlaws.info", "porn-star-depot.com", "cpf-comptes.com", "metropark.xyz", "transformselfhypnosis.com", "wu8g8aerxgjr.xyz", "jingzhouhan.net", "granicors.com", "monografiaonline.com", "4972hillcrestdrive.com", "gridironagriculturist.com", "xtrasomething.com", "scbndirects.com", "agglutinatesmicromanagers.xyz", "butsuyokulog.xyz", "parttimejobsinuk.site", "kriylzf.xyz", "sinashakib.com", "hpessoa.website", "interscopealbums.com", "bathandlicious.com", "jrowlandmarketing.com", "okforbk.com", "xjbyctc.com", "vitospark.com", "threewisewords.com", "antonioloiodice.com", "fastvpnreward.com", "baamusa.com", "yanatransportationsrvs.net", "ol0vdw.xyz", "climbingtreehollow.com", "barterlinealarmselect.com", "integrant.xyz", "nepalgci.com", "wu8j3tx49l5a.xyz", "surpmel.xyz", "autocarbying101.com", "otakusofneverland.com", "pawsitiveclosings.com", "h9220.com", "newshaiya.com", "progressiveprizes.com", "groovybingo.com", "iconuncle.com", "icon-club-dxb.com", "ruokanetti.com", "cooperjss.com", "governorperdue.com", "brfujdersomngreqt.com", "bcubnk.com", "digitalmedicinetechnologies.com", "logiqtrading.com", "anti-tfboys.com", "aterliercarbon.com", "wesovereign.com", "wein-quadrat.com", "www37118.com", "morethanalittlemarley.com", "coslogenex.com", "bondic-listjournal.com", "choicesidownloadnv.com", "ys688.xyz", "nftrack.xyz"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.436846842.0000000000490000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.436846842.0000000000490000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18849:$sqlite3step: 68 34 1C 7B E1
        • 0x1895c:$sqlite3step: 68 34 1C 7B E1
        • 0x18878:$sqlite3text: 68 38 2A 90 C5
        • 0x1899d:$sqlite3text: 68 38 2A 90 C5
        • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
        3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 28 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.freedomwoofpackcom.com/a0p6/"], "decoy": ["taxlaws.info", "porn-star-depot.com", "cpf-comptes.com", "metropark.xyz", "transformselfhypnosis.com", "wu8g8aerxgjr.xyz", "jingzhouhan.net", "granicors.com", "monografiaonline.com", "4972hillcrestdrive.com", "gridironagriculturist.com", "xtrasomething.com", "scbndirects.com", "agglutinatesmicromanagers.xyz", "butsuyokulog.xyz", "parttimejobsinuk.site", "kriylzf.xyz", "sinashakib.com", "hpessoa.website", "interscopealbums.com", "bathandlicious.com", "jrowlandmarketing.com", "okforbk.com", "xjbyctc.com", "vitospark.com", "threewisewords.com", "antonioloiodice.com", "fastvpnreward.com", "baamusa.com", "yanatransportationsrvs.net", "ol0vdw.xyz", "climbingtreehollow.com", "barterlinealarmselect.com", "integrant.xyz", "nepalgci.com", "wu8j3tx49l5a.xyz", "surpmel.xyz", "autocarbying101.com", "otakusofneverland.com", "pawsitiveclosings.com", "h9220.com", "newshaiya.com", "progressiveprizes.com", "groovybingo.com", "iconuncle.com", "icon-club-dxb.com", "ruokanetti.com", "cooperjss.com", "governorperdue.com", "brfujdersomngreqt.com", "bcubnk.com", "digitalmedicinetechnologies.com", "logiqtrading.com", "anti-tfboys.com", "aterliercarbon.com", "wesovereign.com", "wein-quadrat.com", "www37118.com", "morethanalittlemarley.com", "coslogenex.com", "bondic-listjournal.com", "choicesidownloadnv.com", "ys688.xyz", "nftrack.xyz"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Ziraat Bankasi Swift Mesaji.exeReversingLabs: Detection: 32%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436846842.0000000000490000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.412084086.000000000F0C5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.377484332.0000000003050000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.647118949.0000000000880000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.374508026.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.375573868.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436931041.00000000004C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.649679782.00000000010F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436115346.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.649486951.00000000010C0000.00000040.00020000.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: Ziraat Bankasi Swift Mesaji.exeJoe Sandbox ML: detected
          Source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 11.2.colorcpl.exe.4def840.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 19.0.explorer.exe.bacf840.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 11.2.colorcpl.exe.b02338.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 33.2.explorer.exe.c07f840.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: Ziraat Bankasi Swift Mesaji.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 00000021.00000002.671936915.00007FFD77A61000.00000020.00020000.sdmp
          Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 00000021.00000002.671936915.00007FFD77A61000.00000020.00020000.sdmp
          Source: Binary string: colorcpl.pdbGCTL source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.443717751.0000000002690000.00000040.00020000.sdmp
          Source: Binary string: colorcpl.pdb source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.443717751.0000000002690000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Ziraat Bankasi Swift Mesaji.exe, 00000001.00000003.373865869.0000000003220000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000001.00000003.369473393.0000000003090000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000003.378024308.00000000008D0000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.439246508.0000000000A70000.00000040.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.439988472.0000000000B8F000.00000040.00000001.sdmp, colorcpl.exe, 0000000B.00000002.651505776.00000000048C0000.00000040.00000001.sdmp, colorcpl.exe, 0000000B.00000002.653152419.00000000049DF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Ziraat Bankasi Swift Mesaji.exe, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000003.378024308.00000000008D0000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.439246508.0000000000A70000.00000040.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.439988472.0000000000B8F000.00000040.00000001.sdmp, colorcpl.exe, colorcpl.exe, 0000000B.00000002.651505776.00000000048C0000.00000040.00000001.sdmp, colorcpl.exe, 0000000B.00000002.653152419.00000000049DF000.00000040.00000001.sdmp
          Source: Binary string: eex.pdb source: explorer.exe, 00000021.00000002.671936915.00007FFD77A61000.00000020.00020000.sdmp
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_00405D7C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_00402630 FindFirstFileA,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Performs DNS queries to domains with low reputationShow sources
          Source: DNS query: www.ys688.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.freedomwoofpackcom.com/a0p6/
          Source: unknownDNS traffic detected: query: www.ys688.xyz replaycode: Name error (3)
          Source: explorer.exe, 00000021.00000002.672058340.00007FFD77B49000.00000002.00020000.sdmpString found in binary or memory: http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov
          Source: explorer.exe, 00000021.00000002.672058340.00007FFD77B49000.00000002.00020000.sdmpString found in binary or memory: http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro
          Source: explorer.exe, 00000013.00000000.603040111.0000000007341000.00000004.00000001.sdmp, explorer.exe, 00000013.00000000.541707510.00000000073BD000.00000004.00000001.sdmp, explorer.exe, 00000013.00000003.542503961.00000000073BD000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: Ziraat Bankasi Swift Mesaji.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: Ziraat Bankasi Swift Mesaji.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.autocarbying101.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.autocarbying101.com/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.autocarbying101.com/a0p6/www.progressiveprizes.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.autocarbying101.comReferer:
          Source: explorer.exe, 00000005.00000000.380852977.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.396097413.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.416041190.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.barterlinealarmselect.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.barterlinealarmselect.com/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.barterlinealarmselect.com/a0p6/www.autocarbying101.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.barterlinealarmselect.comReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.digitalmedicinetechnologies.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.digitalmedicinetechnologies.com/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.digitalmedicinetechnologies.comReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.fastvpnreward.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.fastvpnreward.com/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.fastvpnreward.com/a0p6/www.digitalmedicinetechnologies.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.fastvpnreward.comReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.freedomwoofpackcom.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.freedomwoofpackcom.com/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.freedomwoofpackcom.com/a0p6/www.taxlaws.info
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.freedomwoofpackcom.comReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.gridironagriculturist.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.gridironagriculturist.com/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.gridironagriculturist.com/a0p6/www.hpessoa.website
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.gridironagriculturist.comReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.hpessoa.website
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.hpessoa.website/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.hpessoa.website/a0p6/www.freedomwoofpackcom.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.hpessoa.websiteReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.pawsitiveclosings.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.pawsitiveclosings.com/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.pawsitiveclosings.com/a0p6/www.ruokanetti.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.pawsitiveclosings.comReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.progressiveprizes.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.progressiveprizes.com/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.progressiveprizes.com/a0p6/www.fastvpnreward.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.progressiveprizes.comReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.ruokanetti.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.ruokanetti.com/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.ruokanetti.com/a0p6/www.barterlinealarmselect.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.ruokanetti.comReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.surpmel.xyz
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.surpmel.xyz/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.surpmel.xyz/a0p6/www.pawsitiveclosings.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.surpmel.xyzReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.taxlaws.info
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.taxlaws.info/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.taxlaws.info/a0p6/www.wu8g8aerxgjr.xyz
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.taxlaws.infoReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.transformselfhypnosis.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.transformselfhypnosis.com/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.transformselfhypnosis.com/a0p6/www.www37118.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.transformselfhypnosis.comReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.wu8g8aerxgjr.xyz
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.wu8g8aerxgjr.xyz/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.wu8g8aerxgjr.xyz/a0p6/www.surpmel.xyz
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.wu8g8aerxgjr.xyzReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.www37118.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.www37118.com/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.www37118.com/a0p6/www.gridironagriculturist.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.www37118.comReferer:
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.ys688.xyz
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.ys688.xyz/a0p6/
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.ys688.xyz/a0p6/www.transformselfhypnosis.com
          Source: explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpString found in binary or memory: http://www.ys688.xyzReferer:
          Source: unknownDNS traffic detected: queries for: www.ys688.xyz
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436846842.0000000000490000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.412084086.000000000F0C5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.377484332.0000000003050000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.647118949.0000000000880000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.374508026.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.375573868.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436931041.00000000004C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.649679782.00000000010F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436115346.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.649486951.00000000010C0000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.436846842.0000000000490000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.436846842.0000000000490000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.412084086.000000000F0C5000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.412084086.000000000F0C5000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.377484332.0000000003050000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.377484332.0000000003050000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.647118949.0000000000880000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.647118949.0000000000880000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.374508026.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.374508026.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.375573868.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.375573868.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.436931041.00000000004C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.436931041.00000000004C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.649679782.00000000010F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.649679782.00000000010F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.436115346.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.436115346.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.649486951.00000000010C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.649486951.00000000010C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Ziraat Bankasi Swift Mesaji.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.436846842.0000000000490000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.436846842.0000000000490000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.412084086.000000000F0C5000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.412084086.000000000F0C5000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.377484332.0000000003050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.377484332.0000000003050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.647118949.0000000000880000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.647118949.0000000000880000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.374508026.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.374508026.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.375573868.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.375573868.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.436931041.00000000004C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.436931041.00000000004C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.649679782.00000000010F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.649679782.00000000010F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.436115346.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.436115346.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.649486951.00000000010C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.649486951.00000000010C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_0040604C
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_00404772
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00401030
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041E8F6
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041E5C1
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00402D87
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00402D90
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00409E5B
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00409E60
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041D70D
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00402FB0
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC20A0
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B620A8
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AAB090
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B628EC
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B6E824
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B51002
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AB4120
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A9F900
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B622AE
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00ACEBB0
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B5DBD2
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F841F
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049AD466
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04912581
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B25DD
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048FD5E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B2D07
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E0D20
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B1D55
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B2EF7
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049AD616
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04906E30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049BDFCE
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B1FF1
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048FB090
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049120A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B20A8
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B28EC
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A1002
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490A830
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049BE824
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049099BF
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048EF900
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04904120
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B22AE
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0499FA2B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491EBB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A03DA
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049ADBD2
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B2B28
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490AB40
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089E8F6
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_00882D87
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_00882D90
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089E5C1
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_00889E5B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_00889E60
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_00882FB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089D70D
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 048EB150 appears 72 times
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041A360 NtCreateFile,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041A410 NtReadFile,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041A490 NtClose,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041A540 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041A35E NtCreateFile,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041A3BA NtCreateFile,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041A40A NtReadFile,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041A48D NtClose,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041A53A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00ADB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00ADA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049295D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049296D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049296E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049299A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049295F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0492AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929560 NtWriteFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049297A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0492A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0492A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049298A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049298F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0492B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049299D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0492A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04929B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089A360 NtCreateFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089A490 NtClose,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089A410 NtReadFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089A540 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089A3BA NtCreateFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089A35E NtCreateFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089A48D NtClose,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089A40A NtReadFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089A53A NtAllocateVirtualMemory,
          Source: Ziraat Bankasi Swift Mesaji.exe, 00000001.00000003.375809880.00000000031A6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ziraat Bankasi Swift Mesaji.exe
          Source: Ziraat Bankasi Swift Mesaji.exe, 00000001.00000003.375154448.000000000333F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ziraat Bankasi Swift Mesaji.exe
          Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.443501149.0000000000D1F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ziraat Bankasi Swift Mesaji.exe
          Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.439988472.0000000000B8F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ziraat Bankasi Swift Mesaji.exe
          Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.443727623.0000000002693000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamecolorcpl.exej% vs Ziraat Bankasi Swift Mesaji.exe
          Source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000003.378375869.00000000009EF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ziraat Bankasi Swift Mesaji.exe
          Source: Ziraat Bankasi Swift Mesaji.exeReversingLabs: Detection: 32%
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile read: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeJump to behavior
          Source: Ziraat Bankasi Swift Mesaji.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
          Source: unknownProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.dbJump to behavior
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile created: C:\Users\user\AppData\Local\Temp\nsrE09F.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/4@1/0
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_00402012 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_01
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\explorer.exe
          Source: unknownProcess created: C:\Windows\explorer.exe
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 00000021.00000002.671936915.00007FFD77A61000.00000020.00020000.sdmp
          Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 00000021.00000002.671936915.00007FFD77A61000.00000020.00020000.sdmp
          Source: Binary string: colorcpl.pdbGCTL source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.443717751.0000000002690000.00000040.00020000.sdmp
          Source: Binary string: colorcpl.pdb source: Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.443717751.0000000002690000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Ziraat Bankasi Swift Mesaji.exe, 00000001.00000003.373865869.0000000003220000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000001.00000003.369473393.0000000003090000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000003.378024308.00000000008D0000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.439246508.0000000000A70000.00000040.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.439988472.0000000000B8F000.00000040.00000001.sdmp, colorcpl.exe, 0000000B.00000002.651505776.00000000048C0000.00000040.00000001.sdmp, colorcpl.exe, 0000000B.00000002.653152419.00000000049DF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Ziraat Bankasi Swift Mesaji.exe, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000003.378024308.00000000008D0000.00000004.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.439246508.0000000000A70000.00000040.00000001.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000003.00000002.439988472.0000000000B8F000.00000040.00000001.sdmp, colorcpl.exe, colorcpl.exe, 0000000B.00000002.651505776.00000000048C0000.00000040.00000001.sdmp, colorcpl.exe, 0000000B.00000002.653152419.00000000049DF000.00000040.00000001.sdmp
          Source: Binary string: eex.pdb source: explorer.exe, 00000021.00000002.671936915.00007FFD77A61000.00000020.00020000.sdmp
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_73861000 push eax; ret
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041783C push A2EB2E12h; retf
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041E256 push ss; ret
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041EA28 push esi; ret
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00416AF9 push edx; retf
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00416A85 push ebx; retf
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041D4B5 push eax; ret
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041D56C push eax; ret
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041D502 push eax; ret
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041D50B push eax; ret
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041870B push edx; iretd
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0041D70D push edx; ret
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AED0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0493D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089783C push A2EB2E12h; retf
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_00896A85 push ebx; retf
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_00896AF9 push edx; retf
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089EA28 push esi; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089E256 push ss; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089D4B5 push eax; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089D50B push eax; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089D502 push eax; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089D56C push eax; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089870B push edx; iretd
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0089D70D push edx; ret
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile created: C:\Users\user\AppData\Local\Temp\nsrE0A1.tmp\kiicqtduhx.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: /c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: /c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
          Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 0000000000889904 second address: 000000000088990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 0000000000889B7E second address: 0000000000889B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00409AB0 rdtsc
          Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Windows\SysWOW64\colorcpl.exeAPI coverage: 8.4 %
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_00405D7C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_00402630 FindFirstFileA,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000013.00000003.590614314.000000000FD9A000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}neer
          Source: explorer.exe, 00000005.00000000.425513181.00000000083E9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000013.00000003.535674507.0000000006A27000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000021.00000002.665822941.000000000957C000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000OW
          Source: explorer.exe, 00000013.00000003.590983457.0000000006C46000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000013.00000003.565805806.0000000006BBC000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BeN
          Source: explorer.exe, 00000005.00000000.420968283.0000000006410000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000021.00000002.666401363.0000000009754000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000013.00000003.584991409.0000000006A45000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000013.00000000.603040111.0000000007341000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}57
          Source: explorer.exe, 00000021.00000002.665913010.00000000095F7000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000r:
          Source: explorer.exe, 00000013.00000003.545751829.0000000006B7F000.00000004.00000001.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}b}
          Source: explorer.exe, 00000013.00000000.536102345.000000000697D000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000370N%\
          Source: explorer.exe, 00000013.00000003.544843845.0000000006B94000.00000004.00000001.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00'_
          Source: explorer.exe, 00000013.00000003.593585088.000000000FD85000.00000004.00000001.sdmpBinary or memory string: 00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000013.00000003.588709134.000000000FCC0000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}/3K
          Source: explorer.exe, 00000013.00000003.593310949.000000000FD85000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yt
          Source: explorer.exe, 00000013.00000003.562362034.000000000FCBB000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+7O
          Source: explorer.exe, 00000005.00000000.424457777.00000000082E2000.00000004.00000001.sdmpBinary or memory string: c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&+
          Source: explorer.exe, 00000013.00000000.602440774.0000000006B2E000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00CE
          Source: explorer.exe, 00000013.00000000.536102345.000000000697D000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000~
          Source: explorer.exe, 00000013.00000003.535674507.0000000006A27000.00000004.00000001.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000013.00000003.592381868.000000000FD85000.00000004.00000001.sdmpBinary or memory string: 00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Users
          Source: explorer.exe, 00000013.00000000.602440774.0000000006B2E000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000013.00000000.568908450.000000000FCC0000.00000004.00000001.sdmpBinary or memory string: \?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000021.00000002.665438809.0000000009480000.00000004.00000001.sdmpBinary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000013.00000003.590983457.0000000006C46000.00000004.00000001.sdmpBinary or memory string: 63}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000013.00000003.553939027.000000000FCBB000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G4
          Source: explorer.exe, 00000013.00000000.602950824.00000000072F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}}
          Source: explorer.exe, 00000013.00000003.593310949.000000000FD85000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},tE
          Source: explorer.exe, 00000013.00000003.562362034.000000000FCBB000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(6N
          Source: explorer.exe, 00000021.00000002.666014023.0000000009676000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}{
          Source: explorer.exe, 00000013.00000003.562362034.000000000FCBB000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}x3
          Source: explorer.exe, 00000013.00000003.544843845.0000000006B94000.00000004.00000001.sdmpBinary or memory string: #cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000021.00000002.647185612.0000000001378000.00000004.00000020.sdmpBinary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}9:
          Source: explorer.exe, 00000005.00000000.416041190.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: explorer.exe, 00000013.00000003.588709134.000000000FCC0000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}x3
          Source: explorer.exe, 00000013.00000003.593585088.000000000FD85000.00000004.00000001.sdmpBinary or memory string: 630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}PackagesB
          Source: explorer.exe, 00000013.00000000.536102345.000000000697D000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Z
          Source: explorer.exe, 00000021.00000002.665870216.0000000009596000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000[
          Source: explorer.exe, 00000013.00000003.544843845.0000000006B94000.00000004.00000001.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00
          Source: explorer.exe, 00000013.00000003.562362034.000000000FCBB000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D7
          Source: explorer.exe, 00000013.00000003.591014153.000000000FD99000.00000004.00000001.sdmpBinary or memory string: 63}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}H1
          Source: explorer.exe, 00000013.00000003.544843845.0000000006B94000.00000004.00000001.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00
          Source: explorer.exe, 00000013.00000003.601967435.0000000006C45000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}soft.Windows.ContentDeliveryManager_cw5n1h2txyewy
          Source: explorer.exe, 00000013.00000003.588709134.000000000FCC0000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}!1E
          Source: explorer.exe, 00000013.00000003.592190476.000000000FD9A000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}H1
          Source: explorer.exe, 00000013.00000000.603040111.0000000007341000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}/
          Source: explorer.exe, 00000013.00000003.593294091.0000000006C45000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bo
          Source: explorer.exe, 00000013.00000003.546030446.0000000006BBC000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`N
          Source: explorer.exe, 00000013.00000003.545122290.0000000006B7E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 00000013.00000003.592190476.000000000FD9A000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
          Source: explorer.exe, 00000013.00000003.592190476.000000000FD9A000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bsk
          Source: explorer.exe, 00000021.00000002.665913010.00000000095F7000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD004%
          Source: explorer.exe, 00000013.00000003.546030446.0000000006BBC000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9
          Source: explorer.exe, 00000021.00000002.659426654.00000000072CE000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(
          Source: explorer.exe, 00000013.00000003.562362034.000000000FCBB000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y2
          Source: explorer.exe, 00000013.00000003.582323799.0000000006BBD000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B&L
          Source: explorer.exe, 00000013.00000000.603040111.0000000007341000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}<
          Source: explorer.exe, 00000013.00000003.588709134.000000000FCC0000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}-5I
          Source: explorer.exe, 00000013.00000000.602660117.0000000006C44000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb
          Source: explorer.exe, 00000013.00000003.535832651.000000000556D000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000@v
          Source: explorer.exe, 00000021.00000002.647185612.0000000001378000.00000004.00000020.sdmpBinary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}Wbem
          Source: explorer.exe, 00000013.00000003.535674507.0000000006A27000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000N%\
          Source: explorer.exe, 00000021.00000002.665913010.00000000095F7000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0 >A
          Source: explorer.exe, 00000013.00000003.582323799.0000000006BBD000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BhO
          Source: explorer.exe, 00000021.00000002.666014023.0000000009676000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000013.00000003.562362034.000000000FCBB000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}{0
          Source: explorer.exe, 00000013.00000003.582323799.0000000006BBD000.00000004.00000001.sdmpBinary or memory string: 630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
          Source: explorer.exe, 00000021.00000002.659697197.0000000007359000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000@v
          Source: explorer.exe, 00000013.00000003.562362034.000000000FCBB000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*4H
          Source: explorer.exe, 00000013.00000003.544717660.0000000006AFC000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.424457777.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000013.00000003.592190476.000000000FD9A000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Blj
          Source: explorer.exe, 00000013.00000003.590320155.0000000006C11000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}&
          Source: explorer.exe, 00000013.00000003.587445417.00000000101BD000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BHL
          Source: explorer.exe, 00000013.00000003.535674507.0000000006A27000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}}
          Source: explorer.exe, 00000013.00000003.562362034.000000000FCBB000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.0D
          Source: explorer.exe, 00000013.00000003.593310949.000000000FD85000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}PackagesB
          Source: explorer.exe, 00000013.00000000.602745772.0000000007250000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.389306018.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: explorer.exe, 00000013.00000000.602675635.0000000006C47000.00000004.00000001.sdmpBinary or memory string: 0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}soft.Windows.ContentDeliveryManager_cw5n1h2txyewy
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00409AB0 rdtsc
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_0019E7DA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_0019EB1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_0019EA9F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_0019EADE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_0019E9EE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00ACF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00ACF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00ACF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A99080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B13884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B13884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A958EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B2B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AAB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AAB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AAB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AAB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B64015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B64015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B17016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B17016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B17016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B61074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B52073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AB0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AB0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B169A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00ACA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00ABC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A9B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A9B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A9B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B241E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AB4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AB4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AB4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AB4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AB4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A99100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A99100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A99100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A9C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A9B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A9B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00ABB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00ABB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AAAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AAAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00ACFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00ACD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00ACD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AA8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B5AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B5AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AB3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A95210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A95210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A95210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A95210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A9AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A9AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B4B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B4B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B68A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AD927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B5EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B24257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A99240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A99240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A99240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00A99240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B65BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AA1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AA1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B4D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00ACB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00B5138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00ABDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04966CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04966CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04966CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04966C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04966C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04966C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04966C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0497C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0497C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04912581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04912581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04912581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04912581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04911DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04911DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04911DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049135A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04966DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04966DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04966DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04966DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04966DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04966DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04998DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048FD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048FD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0496A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049AE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04914D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04914D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04914D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048EAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04907D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04923D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04963540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04993D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0497FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049646A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04928EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0499FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049136CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049116E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04918E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0499FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048EE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049AAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049AAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04967794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04967794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04967794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049237F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0497FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0497FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048FEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048FFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04963884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04963884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049290AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0497B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0497B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0497B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0497B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0497B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0497B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04967016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04967016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04967016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04900050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04900050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04912990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049099BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049099BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049099BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049099BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049669A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049741E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04904120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04904120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04904120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04904120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04904120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048EC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048EB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048EB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048FAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048FAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04912ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04912AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04903A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049AAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049AAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04924A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04924A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04974257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049AEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0492927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0499B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0499B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048F1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0491B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04912397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0499D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04914BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04914BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04914BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_0490DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049A131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_049B8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048EDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048EF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04913B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_04913B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 11_2_048EDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 3_2_0040ACF0 LdrLoadDll,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeSection unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: 1150000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeSection loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeSection loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: unknown protection: read write
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: unknown protection: read write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeMemory written: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeThread register set: target process: 3440
          Source: C:\Windows\SysWOW64\colorcpl.exeThread register set: target process: 3440
          Source: C:\Windows\SysWOW64\colorcpl.exeThread register set: target process: 6468
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
          Source: colorcpl.exe, 0000000B.00000002.650981544.0000000003170000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.593475357.0000000001A40000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.522121225.0000000001A40000.00000002.00020000.sdmp, explorer.exe, 00000021.00000002.649427113.0000000001970000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000005.00000000.400626554.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.397540886.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.389238366.00000000083E9000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.409030860.00000000083E9000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.416480050.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.425513181.00000000083E9000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.381269998.0000000000EE0000.00000002.00020000.sdmp, colorcpl.exe, 0000000B.00000002.650981544.0000000003170000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.593475357.0000000001A40000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.522121225.0000000001A40000.00000002.00020000.sdmp, explorer.exe, 00000021.00000002.648475093.0000000001449000.00000004.00000020.sdmp, explorer.exe, 00000021.00000002.649427113.0000000001970000.00000002.00020000.sdmp, explorer.exe, 00000021.00000002.657429902.0000000005700000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.415750521.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.380695566.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.397540886.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.395909144.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.416480050.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.381269998.0000000000EE0000.00000002.00020000.sdmp, colorcpl.exe, 0000000B.00000002.650981544.0000000003170000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.593475357.0000000001A40000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.521010244.00000000012F8000.00000004.00000020.sdmp, explorer.exe, 00000013.00000000.522121225.0000000001A40000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.601334865.0000000005ED0000.00000004.00000001.sdmp, explorer.exe, 00000013.00000000.592634529.00000000012F8000.00000004.00000020.sdmp, explorer.exe, 00000013.00000000.530924322.0000000005ED0000.00000004.00000001.sdmp, explorer.exe, 00000021.00000002.649427113.0000000001970000.00000002.00020000.sdmp, explorer.exe, 00000021.00000002.657429902.0000000005700000.00000004.00000001.sdmp, explorer.exe, 00000021.00000002.647185612.0000000001378000.00000004.00000020.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.397540886.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.416480050.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.381269998.0000000000EE0000.00000002.00020000.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 00000005.00000000.397540886.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.416480050.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.381269998.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.522121225.0000000001A40000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000013.00000003.510607336.000000000556D000.00000004.00000001.sdmp, explorer.exe, 00000013.00000000.600918221.000000000556D000.00000004.00000001.sdmp, explorer.exe, 00000013.00000003.535832651.000000000556D000.00000004.00000001.sdmp, explorer.exe, 00000013.00000003.521974214.000000000556D000.00000004.00000001.sdmp, explorer.exe, 00000013.00000003.529419339.000000000556D000.00000004.00000001.sdmp, explorer.exe, 00000013.00000000.527019654.000000000556D000.00000004.00000001.sdmpBinary or memory string: Progman$x
          Source: explorer.exe, 00000021.00000002.657214134.0000000005620000.00000004.00000001.sdmpBinary or memory string: ProgmancT
          Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 1_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436846842.0000000000490000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.412084086.000000000F0C5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.377484332.0000000003050000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.647118949.0000000000880000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.374508026.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.375573868.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436931041.00000000004C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.649679782.00000000010F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436115346.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.649486951.00000000010C0000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436846842.0000000000490000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.412084086.000000000F0C5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.377484332.0000000003050000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.647118949.0000000000880000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.374508026.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.375573868.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436931041.00000000004C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.649679782.00000000010F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.436115346.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.649486951.00000000010C0000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemorySecurity Software Discovery131Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol11Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553162 Sample: Ziraat Bankasi Swift Mesaji.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 33 www.ys688.xyz 2->33 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 5 other signatures 2->49 11 Ziraat Bankasi Swift Mesaji.exe 19 2->11         started        15 explorer.exe 1 2->15         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\kiicqtduhx.dll, PE32 11->31 dropped 59 Injects a PE file into a foreign processes 11->59 17 Ziraat Bankasi Swift Mesaji.exe 11->17         started        signatures6 process7 signatures8 35 Modifies the context of a thread in another process (thread injection) 17->35 37 Maps a DLL or memory area into another process 17->37 39 Sample uses process hollowing technique 17->39 41 Queues an APC in another process (thread injection) 17->41 20 explorer.exe 17->20 injected process9 process10 22 colorcpl.exe 20->22         started        signatures11 51 Self deletion via cmd delete 22->51 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        27 explorer.exe 2 153 22->27         started        process12 process13 29 conhost.exe 25->29         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Ziraat Bankasi Swift Mesaji.exe33%ReversingLabsWin32.Trojan.Risis
          Ziraat Bankasi Swift Mesaji.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.Ziraat Bankasi Swift Mesaji.exe.3050000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.1.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          11.2.colorcpl.exe.4def840.4.unpack100%AviraTR/Patched.Ren.GenDownload File
          19.0.explorer.exe.bacf840.1.unpack100%AviraTR/Patched.Ren.GenDownload File
          3.0.Ziraat Bankasi Swift Mesaji.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.0.Ziraat Bankasi Swift Mesaji.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.0.Ziraat Bankasi Swift Mesaji.exe.400000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          11.2.colorcpl.exe.b02338.0.unpack100%AviraTR/Patched.Ren.GenDownload File
          33.2.explorer.exe.c07f840.1.unpack100%AviraTR/Patched.Ren.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.gridironagriculturist.com0%Avira URL Cloudsafe
          http://www.ruokanetti.com/a0p6/www.barterlinealarmselect.com0%Avira URL Cloudsafe
          http://www.barterlinealarmselect.com/a0p6/www.autocarbying101.com0%Avira URL Cloudsafe
          http://www.freedomwoofpackcom.com0%Avira URL Cloudsafe
          http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro0%Avira URL Cloudsafe
          http://www.barterlinealarmselect.com/a0p6/0%Avira URL Cloudsafe
          http://www.surpmel.xyz/a0p6/www.pawsitiveclosings.com0%Avira URL Cloudsafe
          http://www.ys688.xyz/a0p6/www.transformselfhypnosis.com0%Avira URL Cloudsafe
          http://www.surpmel.xyz0%Avira URL Cloudsafe
          http://www.www37118.com/a0p6/0%Avira URL Cloudsafe
          http://www.gridironagriculturist.com/a0p6/www.hpessoa.website0%Avira URL Cloudsafe
          http://www.taxlaws.info/a0p6/0%Avira URL Cloudsafe
          http://www.gridironagriculturist.comReferer:0%Avira URL Cloudsafe
          http://www.transformselfhypnosis.com/a0p6/www.www37118.com0%Avira URL Cloudsafe
          http://www.wu8g8aerxgjr.xyz0%Avira URL Cloudsafe
          http://www.wu8g8aerxgjr.xyz/a0p6/www.surpmel.xyz0%Avira URL Cloudsafe
          http://www.progressiveprizes.com/a0p6/www.fastvpnreward.com0%Avira URL Cloudsafe
          http://www.autocarbying101.comReferer:0%Avira URL Cloudsafe
          http://www.transformselfhypnosis.com0%Avira URL Cloudsafe
          http://www.ys688.xyz0%Avira URL Cloudsafe
          http://www.ruokanetti.comReferer:0%Avira URL Cloudsafe
          http://www.www37118.com/a0p6/www.gridironagriculturist.com0%Avira URL Cloudsafe
          http://www.fastvpnreward.com/a0p6/www.digitalmedicinetechnologies.com0%Avira URL Cloudsafe
          http://www.pawsitiveclosings.comReferer:0%Avira URL Cloudsafe
          http://www.taxlaws.info0%Avira URL Cloudsafe
          http://www.digitalmedicinetechnologies.com0%Avira URL Cloudsafe
          http://www.autocarbying101.com/a0p6/www.progressiveprizes.com0%Avira URL Cloudsafe
          http://www.hpessoa.websiteReferer:0%Avira URL Cloudsafe
          http://www.progressiveprizes.comReferer:0%Avira URL Cloudsafe
          http://www.gridironagriculturist.com/a0p6/0%Avira URL Cloudsafe
          http://www.pawsitiveclosings.com/a0p6/0%Avira URL Cloudsafe
          http://www.barterlinealarmselect.comReferer:0%Avira URL Cloudsafe
          http://www.barterlinealarmselect.com0%Avira URL Cloudsafe
          http://www.www37118.comReferer:0%Avira URL Cloudsafe
          http://www.fastvpnreward.com/a0p6/0%Avira URL Cloudsafe
          http://www.freedomwoofpackcom.com/a0p6/0%Avira URL Cloudsafe
          http://www.taxlaws.infoReferer:0%Avira URL Cloudsafe
          http://www.freedomwoofpackcom.comReferer:0%Avira URL Cloudsafe
          http://www.hpessoa.website/a0p6/www.freedomwoofpackcom.com0%Avira URL Cloudsafe
          http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov0%Avira URL Cloudsafe
          http://www.fastvpnreward.com0%Avira URL Cloudsafe
          http://www.freedomwoofpackcom.com/a0p6/www.taxlaws.info0%Avira URL Cloudsafe
          www.freedomwoofpackcom.com/a0p6/0%Avira URL Cloudsafe
          http://www.transformselfhypnosis.com/a0p6/0%Avira URL Cloudsafe
          http://www.hpessoa.website/a0p6/0%Avira URL Cloudsafe
          http://www.www37118.com0%Avira URL Cloudsafe
          http://www.autocarbying101.com/a0p6/0%Avira URL Cloudsafe
          http://www.ys688.xyz/a0p6/0%Avira URL Cloudsafe
          http://www.ruokanetti.com0%Avira URL Cloudsafe
          http://www.transformselfhypnosis.comReferer:0%Avira URL Cloudsafe
          http://www.surpmel.xyz/a0p6/0%Avira URL Cloudsafe
          http://www.wu8g8aerxgjr.xyz/a0p6/0%Avira URL Cloudsafe
          http://www.autocarbying101.com0%Avira URL Cloudsafe
          http://www.digitalmedicinetechnologies.comReferer:0%Avira URL Cloudsafe
          http://www.hpessoa.website0%Avira URL Cloudsafe
          http://www.surpmel.xyzReferer:0%Avira URL Cloudsafe
          http://www.fastvpnreward.comReferer:0%Avira URL Cloudsafe
          http://www.pawsitiveclosings.com/a0p6/www.ruokanetti.com0%Avira URL Cloudsafe
          http://www.ys688.xyzReferer:0%Avira URL Cloudsafe
          http://www.digitalmedicinetechnologies.com/a0p6/0%Avira URL Cloudsafe
          http://www.ruokanetti.com/a0p6/0%Avira URL Cloudsafe
          http://www.taxlaws.info/a0p6/www.wu8g8aerxgjr.xyz0%Avira URL Cloudsafe
          http://www.wu8g8aerxgjr.xyzReferer:0%Avira URL Cloudsafe
          http://www.progressiveprizes.com/a0p6/0%Avira URL Cloudsafe
          http://www.pawsitiveclosings.com0%Avira URL Cloudsafe
          http://www.progressiveprizes.com0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.ys688.xyz
          		unknown
          		unknowntrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            www.freedomwoofpackcom.com/a0p6/true
            • Avira URL Cloud: safe
            		low

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.gridironagriculturist.comexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.ruokanetti.com/a0p6/www.barterlinealarmselect.comexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.barterlinealarmselect.com/a0p6/www.autocarbying101.comexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.freedomwoofpackcom.comexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.groexplorer.exe, 00000021.00000002.672058340.00007FFD77B49000.00000002.00020000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.barterlinealarmselect.com/a0p6/explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.surpmel.xyz/a0p6/www.pawsitiveclosings.comexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.ys688.xyz/a0p6/www.transformselfhypnosis.comexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.surpmel.xyzexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.www37118.com/a0p6/explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.gridironagriculturist.com/a0p6/www.hpessoa.websiteexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.taxlaws.info/a0p6/explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.gridironagriculturist.comReferer:explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.transformselfhypnosis.com/a0p6/www.www37118.comexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.wu8g8aerxgjr.xyzexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.wu8g8aerxgjr.xyz/a0p6/www.surpmel.xyzexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.progressiveprizes.com/a0p6/www.fastvpnreward.comexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.autocarbying101.comReferer:explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.transformselfhypnosis.comexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.ys688.xyzexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.ruokanetti.comReferer:explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.www37118.com/a0p6/www.gridironagriculturist.comexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.fastvpnreward.com/a0p6/www.digitalmedicinetechnologies.comexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.pawsitiveclosings.comReferer:explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.taxlaws.infoexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.digitalmedicinetechnologies.comexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.autocarbying101.com/a0p6/www.progressiveprizes.comexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.hpessoa.websiteReferer:explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.progressiveprizes.comReferer:explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000005.00000000.380852977.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.396097413.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.416041190.000000000095C000.00000004.00000020.sdmpfalse
              		high
              http://www.gridironagriculturist.com/a0p6/explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.pawsitiveclosings.com/a0p6/explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.barterlinealarmselect.comReferer:explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.barterlinealarmselect.comexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.www37118.comReferer:explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fastvpnreward.com/a0p6/explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.freedomwoofpackcom.com/a0p6/explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.taxlaws.infoReferer:explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.freedomwoofpackcom.comReferer:explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.hpessoa.website/a0p6/www.freedomwoofpackcom.comexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groovexplorer.exe, 00000021.00000002.672058340.00007FFD77B49000.00000002.00020000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fastvpnreward.comexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://nsis.sf.net/NSIS_ErrorErrorZiraat Bankasi Swift Mesaji.exefalse
                		high
                http://www.freedomwoofpackcom.com/a0p6/www.taxlaws.infoexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.transformselfhypnosis.com/a0p6/explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.hpessoa.website/a0p6/explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.www37118.comexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.autocarbying101.com/a0p6/explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.ys688.xyz/a0p6/explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.ruokanetti.comexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.transformselfhypnosis.comReferer:explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://nsis.sf.net/NSIS_ErrorZiraat Bankasi Swift Mesaji.exefalse
                  		high
                  http://www.surpmel.xyz/a0p6/explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.wu8g8aerxgjr.xyz/a0p6/explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.autocarbying101.comexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.digitalmedicinetechnologies.comReferer:explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.hpessoa.websiteexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.surpmel.xyzReferer:explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fastvpnreward.comReferer:explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.pawsitiveclosings.com/a0p6/www.ruokanetti.comexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.ys688.xyzReferer:explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.digitalmedicinetechnologies.com/a0p6/explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.ruokanetti.com/a0p6/explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.taxlaws.info/a0p6/www.wu8g8aerxgjr.xyzexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.wu8g8aerxgjr.xyzReferer:explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.progressiveprizes.com/a0p6/explorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.pawsitiveclosings.comexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.progressiveprizes.comexplorer.exe, 00000021.00000002.666305724.0000000009719000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  Contacted IPs

                  No contacted IP infos

                  General Information

                  Joe Sandbox Version:34.0.0 Boulder Opal
                  Analysis ID:553162
                  Start date:14.01.2022
                  Start time:12:12:26
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 11m 20s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:Ziraat Bankasi Swift Mesaji.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:33
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:1
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@9/4@1/0
                  EGA Information:
                  • Successful, ratio: 100%
                  HDC Information:
                  • Successful, ratio: 36.8% (good quality ratio 33%)
                  • Quality average: 74.9%
                  • Quality standard deviation: 31.5%
                  HCA Information:
                  • Successful, ratio: 87%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .exe
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SearchUI.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, ShellExperienceHost.exe, WMIADAP.exe, conhost.exe, svchost.exe, mobsync.exe, wuapihost.exe
                  • Excluded IPs from analysis (whitelisted): 23.211.6.115
                  • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                  • Report size getting too big, too many NtCreateFile calls found.
                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                  • Report size getting too big, too many NtEnumerateKey calls found.
                  • Report size getting too big, too many NtEnumerateValueKey calls found.
                  • Report size getting too big, too many NtOpenFile calls found.
                  • Report size getting too big, too many NtOpenKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  12:14:44API Interceptor315x Sleep call for process: explorer.exe modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASN

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Temp\aaafqvv
                  Process:C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):5080
                  Entropy (8bit):6.142571300023832
                  Encrypted:false
                  SSDEEP:96:H4Qn50iM/USgcGWFDFBGXhxx8InKcZX0FsZxoHCCnzYoRD:35zIvRLQmUKcZXqi4YoZ
                  MD5:23922E85EE8459083CE2625E78A155A6
                  SHA1:2FB6640CAEF2522888D90FABEED29AC3C03A8B70
                  SHA-256:F0BD0A6B004414957490ACE6DFC219B3A9A84DDBEF4C173333E4FF9349D448F2
                  SHA-512:9A530371CC1212AECDA4CD9BD9D9D81E9C7B15AE466D5B428C5448B696C0ADB165A4749FBB6B43B78B438308729F7D8D97EEDBD50ACA04B89536F23BAAAE53BE
                  Malicious:false
                  Reputation:low
                  Preview: -(w....$.$.....0...`...@..`.......7.........!..!..........(..4.!..!..........P..<.!..!....K.....8..D.!..!....J.....`..L......x..`......@..,.....kM....$......UkF....%.......V........,0.k.......l.3...!(..!P..!8..!`..!@..!...2.............!0.!(...x....0........7.l.{.....l.3.....0....1.V....$...`.....x.......x....|U.....U.....x....x........1.V.....b...........V|...?..........Vx...............Vx...$.$..`...7.......(..........b.............,.|....`....x..x..M...(...4....x.U5...(...4...x..`...(...?..E....:..........!x..............0..w7.0......0.1.V....$.$...`...7......`..........b.............,......`........x..x..M...`...L....x.U5...`...L....x.E5..`...L..|kM.x..F...`..L....x.U5...`...L...x..`...`....b..B....;.......h..x....h...g.!h.!|.!..!..!x..............0..w7.0......0.1.V|...$.$t7.......,..........b.............,......`....x..x..M...,........x.U5...,.......x..`...,...........l......z.!
                  C:\Users\user\AppData\Local\Temp\fwb2jz7v09bp1l5p5b
                  Process:C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):219922
                  Entropy (8bit):7.99314474006626
                  Encrypted:true
                  SSDEEP:6144:heFFpHd3XORiMtWb71jHFoHazbPH5IKQqd+UPOwuO69:EjBTMsNhEavpwUA
                  MD5:933EC2281DD8AA578A2514079575BD9F
                  SHA1:4BF4E25B2DE0F35E57CCCA6C6C401EB15DD01B29
                  SHA-256:6548B64155A7E33D1097C82F3A0B21D7A05DE87265E3575EF792A83CE7032F64
                  SHA-512:303671B94C0A7C0FEB784F920902E3E6C56851C4AD6F1801DBE8F2E49D7489CC05197C95EA83A55B913915528880171AD7773CA73F0568FD882E4E1C73C3720C
                  Malicious:false
                  Reputation:low
                  Preview: 5.K.}Y..*..y...m..{%.X...S`)A`..},`.*.!.%]......<..i..?.K.u.Y.>...g2......O...z....a.....V..CJ@L...&.....k..@...&.^...:..I...D.3,.7.L~^..e...G0 .n.q|..9.D..-FN..'3k..*.cr....H..[j...j.w..a^Wk..$..W.|..p..UF.$5~.$...;K.c9a..N......C..1....!....|Y......{.!....%>....{.2..h.},..*.!.%]......<..i..?.K..Y..u..g.lr^..#.$../..n...0...r.........).:..........{.36..&.^...:.......W`....!.....3.... TDQu..[9?.....GOXh...*.cr...aBy1Wj.....w]....[...$..W.|r...#.vUZij1~.$...;@..9a..N.K.....C..1..l.!K.t.|Y..*...{.!..<.%>]...{.2]..},`.*.!.%]......<..i..?.K..Y..u..g.lr^..#.$../..n...0...r.........).:..........{.36..&.^...:.......W`....!.....3.... TDQu..[9?.....GOXh...*.cr....H..[j.....w].....K..$..W.|r...#.vUFij5~.$...;@..9a..N.K.....C..1..l.!K.t.|Y..*...{.!..<.%>]...{.2]..},`.*.!.%]......<..i..?.K..Y..u..g.lr^..#.$../..n...0...r.........).:..........{.36..&.^...:.......W`....!.....3.... TDQu..[9?.....GOXh...*.cr....H..[j.....w].....K..$..W.|r...#.vUFij5~.$...;
                  C:\Users\user\AppData\Local\Temp\nsrE0A0.tmp
                  Process:C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):256999
                  Entropy (8bit):7.698968485447416
                  Encrypted:false
                  SSDEEP:6144:BUs4eFFpHd3XORiMtWb71jHFoHazbPH5IKQqd+UPOwuO6n:XRjBTMsNhEavpwUc
                  MD5:158AEB31B92164491FC3B713E71BFAE5
                  SHA1:BC4384095260A6AD3FFF1C9C13A621448E1170C9
                  SHA-256:63879322D4A8655F3D164368EAD45E3179EACDAC101ACB0592EE3132983ED638
                  SHA-512:536A9540A9EA5C574F685D0354F5480FC0CA5911A91E44D9D2280663B2CCA15A67986C88E0329EBE251E534710242E5ABEFC430707FA0123A36ABBF285F2F76C
                  Malicious:false
                  Reputation:low
                  Preview: .l......,........................Q.......l.......l..............................................................=...........................................................................................................................................................................J...............w...j...........................................................................................................................................\...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Temp\nsrE0A1.tmp\kiicqtduhx.dll
                  Process:C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):4096
                  Entropy (8bit):3.8015980505764273
                  Encrypted:false
                  SSDEEP:24:e1GSb0JDlhEcQMV3ax/+A6zDctxVrJ00JDTyj1a5DTyxk8q6I1nPnRuV4MPgicfk:SgZ8h4Wzrqi79r6IPRuqSyOyO
                  MD5:A85B7C70D00F1A15BE15108BB6F5601E
                  SHA1:E3BD606BE8D0C6DBF87BC4F92CAC260F5353C507
                  SHA-256:DE9BF1EAFF348707D8ED3F4DDF31B696EDAAF6A2E1B228785198258EC8CD6706
                  SHA-512:48F40F0095F31C9666D555A73D10A34A058ABCE9FD17A5A99ACCA7DCC2A8E90AEB18877126BD34456747B264425AE9A9DD937B79E3330690BCAB4A816C76A725
                  Malicious:false
                  Reputation:low
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U.CU.CU.C...CT.C0..BZ.CU.Cw.C..BT.C..BT.C.QCT.C..BT.CRichU.C........PE..L....+.a...........!......................... ...............................P............@.......................... ..L.... .......0.......................@..L.................................................... ...............................text...|........................... ..`.rdata..j.... ......................@..@.rsrc........0......................@..@.reloc..L....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                  Entropy (8bit):7.927294615366343
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 92.16%
                  • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:Ziraat Bankasi Swift Mesaji.exe
                  File size:248844
                  MD5:bb5ab5b4895da7f1eddbaf67d7fe6067
                  SHA1:8fcfc099505b7d825f8176af5d2a0dedfd7f39f2
                  SHA256:c274f37d52a6ef7300164ed5c964426b853c7cd3938310a10211439a4b5413ba
                  SHA512:fe558a8fe2f91888ba090b091a1e8e1b04b21ebfc05fcdf4e633790597f597ae437801df7b489ef3f1faff4a9c51db6a7c77de765be2f3df8426ee1d65e507ca
                  SSDEEP:3072:oNyah0mJo5+uoVPvlKLhdo9auOECcQV6a5iI3cHPWexwwqt2DbXfwIFLahXs4VSi:ow1Ivod29iECcQ0IsvWexwdUwZs4kgNr
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.....

                  File Icon

                  Icon Hash:b2a88c96b2ca6a72

                  Static PE Info

                  General

                  Entrypoint:0x403225
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                  DLL Characteristics:
                  Time Stamp:0x48EFCDC9 [Fri Oct 10 21:48:57 2008 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:099c0646ea7282d232219f8807883be0

                  Entrypoint Preview

                  Instruction
                  sub esp, 00000180h
                  push ebx
                  push ebp
                  push esi
                  xor ebx, ebx
                  push edi
                  mov dword ptr [esp+18h], ebx
                  mov dword ptr [esp+10h], 00409128h
                  xor esi, esi
                  mov byte ptr [esp+14h], 00000020h
                  call dword ptr [00407030h]
                  push 00008001h
                  call dword ptr [004070B4h]
                  push ebx
                  call dword ptr [0040727Ch]
                  push 00000008h
                  mov dword ptr [00423F58h], eax
                  call 00007F8DDC72F940h
                  mov dword ptr [00423EA4h], eax
                  push ebx
                  lea eax, dword ptr [esp+34h]
                  push 00000160h
                  push eax
                  push ebx
                  push 0041F450h
                  call dword ptr [00407158h]
                  push 004091B0h
                  push 004236A0h
                  call 00007F8DDC72F5F7h
                  call dword ptr [004070B0h]
                  mov edi, 00429000h
                  push eax
                  push edi
                  call 00007F8DDC72F5E5h
                  push ebx
                  call dword ptr [0040710Ch]
                  cmp byte ptr [00429000h], 00000022h
                  mov dword ptr [00423EA0h], eax
                  mov eax, edi
                  jne 00007F8DDC72CE0Ch
                  mov byte ptr [esp+14h], 00000022h
                  mov eax, 00429001h
                  push dword ptr [esp+14h]
                  push eax
                  call 00007F8DDC72F0D8h
                  push eax
                  call dword ptr [0040721Ch]
                  mov dword ptr [esp+1Ch], eax
                  jmp 00007F8DDC72CE65h
                  cmp cl, 00000020h
                  jne 00007F8DDC72CE08h
                  inc eax
                  cmp byte ptr [eax], 00000020h
                  je 00007F8DDC72CDFCh
                  cmp byte ptr [eax], 00000022h
                  mov byte ptr [eax+eax+00h], 00000000h

                  Rich Headers

                  Programming Language:
                  • [EXP] VC++ 6.0 SP5 build 8804

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x900.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x59760x5a00False0.668619791667data6.46680044621IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rdata0x70000x11900x1200False0.444878472222data5.17796812871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0x90000x1af980x400False0.55078125data4.68983486809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                  .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .rsrc0x2c0000x9000xa00False0.409375data3.94693169534IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_ICON0x2c1900x2e8dataEnglishUnited States
                  RT_DIALOG0x2c4780x100dataEnglishUnited States
                  RT_DIALOG0x2c5780x11cdataEnglishUnited States
                  RT_DIALOG0x2c6980x60dataEnglishUnited States
                  RT_GROUP_ICON0x2c6f80x14dataEnglishUnited States
                  RT_MANIFEST0x2c7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                  Imports

                  DLLImport
                  KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
                  USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                  GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                  SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                  ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                  COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                  ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                  VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States

                  Network Behavior

                  Network Port Distribution

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jan 14, 2022 12:15:59.854818106 CET6211653192.168.2.68.8.8.8
                  Jan 14, 2022 12:15:59.887609959 CET53621168.8.8.8192.168.2.6

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Jan 14, 2022 12:15:59.854818106 CET192.168.2.68.8.8.80xd9f4Standard query (0)www.ys688.xyzA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Jan 14, 2022 12:15:59.887609959 CET8.8.8.8192.168.2.60xd9f4Name error (3)www.ys688.xyznonenoneA (IP address)IN (0x0001)

                  Code Manipulations

                  Statistics

                  Behavior

                  Click to jump to process

                  System Behavior

                  Analysis Process: Ziraat Bankasi Swift Mesaji.exe PID: 2940 Parent PID: 2200

                  General

                  Start time:12:13:38
                  Start date:14/01/2022
                  Path:C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
                  Imagebase:0x400000
                  File size:248844 bytes
                  MD5 hash:BB5AB5B4895DA7F1EDDBAF67D7FE6067
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.377484332.0000000003050000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.377484332.0000000003050000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.377484332.0000000003050000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Analysis Process: Ziraat Bankasi Swift Mesaji.exe PID: 4652 Parent PID: 2940

                  General

                  Start time:12:13:40
                  Start date:14/01/2022
                  Path:C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
                  Imagebase:0x400000
                  File size:248844 bytes
                  MD5 hash:BB5AB5B4895DA7F1EDDBAF67D7FE6067
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000001.376553796.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.436846842.0000000000490000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.436846842.0000000000490000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.436846842.0000000000490000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.374508026.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.374508026.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.374508026.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.375573868.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.375573868.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.375573868.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.436931041.00000000004C0000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.436931041.00000000004C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.436931041.00000000004C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.436115346.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.436115346.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.436115346.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Analysis Process: explorer.exe PID: 3440 Parent PID: 4652

                  General

                  Start time:12:13:45
                  Start date:14/01/2022
                  Path:C:\Windows\explorer.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Explorer.EXE
                  Imagebase:0x7ff6f22f0000
                  File size:3933184 bytes
                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.412084086.000000000F0C5000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.412084086.000000000F0C5000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.412084086.000000000F0C5000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:high

                  Analysis Process: colorcpl.exe PID: 4552 Parent PID: 3440

                  General

                  Start time:12:14:07
                  Start date:14/01/2022
                  Path:C:\Windows\SysWOW64\colorcpl.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\colorcpl.exe
                  Imagebase:0x1150000
                  File size:86528 bytes
                  MD5 hash:746F3B5E7652EA0766BA10414D317981
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.647118949.0000000000880000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.647118949.0000000000880000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.647118949.0000000000880000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.649679782.00000000010F0000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.649679782.00000000010F0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.649679782.00000000010F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.649486951.00000000010C0000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.649486951.00000000010C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.649486951.00000000010C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:moderate

                  Analysis Process: cmd.exe PID: 6256 Parent PID: 4552

                  General

                  Start time:12:14:13
                  Start date:14/01/2022
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:/c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
                  Imagebase:0x2a0000
                  File size:232960 bytes
                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Analysis Process: conhost.exe PID: 6916 Parent PID: 6256

                  General

                  Start time:12:14:15
                  Start date:14/01/2022
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff61de10000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Analysis Process: explorer.exe PID: 6468 Parent PID: 3716

                  General

                  Start time:12:14:43
                  Start date:14/01/2022
                  Path:C:\Windows\explorer.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
                  Imagebase:0x7ff6f22f0000
                  File size:3933184 bytes
                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Analysis Process: explorer.exe PID: 728 Parent PID: 3668

                  General

                  Start time:12:15:42
                  Start date:14/01/2022
                  Path:C:\Windows\explorer.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
                  Imagebase:0x7ff6f22f0000
                  File size:3933184 bytes
                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Disassembly

                  Code Analysis

                  Reset < >