Windows Analysis Report
Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe

Overview

General Information

Sample Name: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe
Analysis ID: 562448
MD5: 1e1b323d9ef356f5f457c5050d7dc331
SHA1: 219791b4bda0b95dfea2f91ed0288c5c1cfa57b8
SHA256: 80891c5a3008823875c7401d8df90c02989e65832b0b2681eea2c1448ddd31ce
Tags: AgentTeslaexegeoTUR
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Moves itself to temp directory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Creates processes with suspicious names
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Found malware configuration
Source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.4.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "genelmudur@carmar.com.tr", "Password": "412Abc", "Host": "mail.carmar.com.tr"}
Multi AV Scanner detection for submitted file
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe ReversingLabs: Detection: 30%
Machine Learning detection for sample
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Source: 15.2.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.8.unpack Avira: Label: TR/Spy.Gen8
Source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.6.unpack Avira: Label: TR/Spy.Gen8
Source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.12.unpack Avira: Label: TR/Spy.Gen8
Source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.10.unpack Avira: Label: TR/Spy.Gen8

Compliance
barindex
Uses 32bit PE files
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: TypeEnt.pdb source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe

Software Vulnerabilities
barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 4x nop then jmp 0747A580h 0_2_07479B21
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 4x nop then jmp 0747A580h 0_2_0747A49E
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 0000000F.00000002.520060888.0000000002F91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 0000000F.00000002.520060888.0000000002F91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.329570951.0000000002D11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://blog.iandreev.com
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.329570951.0000000002D11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://blog.iandreev.com/
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332497835.0000000006D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 0000000F.00000002.520060888.0000000002F91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jShurS.com
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.329570951.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.329852964.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332497835.0000000006D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266647532.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266883053.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266220407.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.267322270.0000000005B66000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266402777.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.267485995.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266647532.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266883053.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.267322270.0000000005B66000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266402777.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.267485995.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmld~
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332497835.0000000006D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332497835.0000000006D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332497835.0000000006D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332497835.0000000006D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332497835.0000000006D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.273555708.0000000005BA7000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332497835.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.273723027.0000000005BA7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332497835.0000000006D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332497835.0000000006D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332497835.0000000006D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.273653836.0000000005B66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.273653836.0000000005B66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comT.TTF
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332097958.0000000005B60000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.326173911.0000000005B60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comaX
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.273653836.0000000005B66000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.271875404.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.272024535.0000000005B66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comepko
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.273653836.0000000005B66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comessedB
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332097958.0000000005B60000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.326173911.0000000005B60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comm2
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332497835.0000000006D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.260934028.0000000005B66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.c
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.260934028.0000000005B66000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.260370526.0000000005B66000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.260451514.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332497835.0000000006D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332497835.0000000006D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332497835.0000000006D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.260934028.0000000005B66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnX
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.260934028.0000000005B66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnn
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.260934028.0000000005B66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnz
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.284306161.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.285977742.0000000005B65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332497835.0000000006D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.284306161.0000000005B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332497835.0000000006D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264886713.0000000005B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265891746.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266220407.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265170353.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264249980.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264472776.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266402777.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265397373.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265675189.0000000005B65000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264886713.0000000005B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/3
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265170353.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265397373.0000000005B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/:
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265891746.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266647532.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266883053.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266220407.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265170353.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.267322270.0000000005B66000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266402777.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265397373.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265675189.0000000005B65000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.267485995.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264886713.0000000005B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/B
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265891746.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266220407.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265170353.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266402777.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265397373.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265675189.0000000005B65000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264886713.0000000005B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Ian
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264249980.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264472776.0000000005B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Webd
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264249980.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264472776.0000000005B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/X
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264472776.0000000005B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0Mo
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265891746.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266647532.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266883053.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266220407.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265170353.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266402777.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265397373.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265675189.0000000005B65000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264886713.0000000005B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0he
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265891746.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266647532.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266883053.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266220407.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265170353.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.267322270.0000000005B66000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264472776.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266402777.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265397373.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265675189.0000000005B65000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.267485995.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264886713.0000000005B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/a
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264249980.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264472776.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264886713.0000000005B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/b
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265891746.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266220407.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265170353.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266402777.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265397373.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265675189.0000000005B65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/f
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265891746.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266220407.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265170353.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266402777.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265397373.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265675189.0000000005B65000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264886713.0000000005B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/i
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265891746.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266220407.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265170353.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264249980.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264472776.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266402777.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265397373.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265675189.0000000005B65000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264886713.0000000005B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265891746.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266647532.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266883053.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266220407.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266402777.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265675189.0000000005B65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/:
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265891746.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266220407.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265170353.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266402777.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265397373.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265675189.0000000005B65000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264886713.0000000005B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/X
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265891746.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266647532.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266883053.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266220407.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266402777.0000000005B6E000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265675189.0000000005B65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/roso
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.263929158.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265170353.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264249980.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264472776.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265397373.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.265675189.0000000005B65000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.264886713.0000000005B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/vv
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.284009090.0000000005B67000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.289966753.0000000005B79000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.284306161.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.289821716.0000000005B79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.monotype.
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.255505963.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.255373712.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332497835.0000000006D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.255505963.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.255373712.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com.
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332497835.0000000006D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.266629592.0000000005B66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.comx
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332497835.0000000006D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332497835.0000000006D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332497835.0000000006D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332497835.0000000006D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.332497835.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.262012517.0000000005B67000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.262012517.0000000005B67000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cnvad
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000003.262012517.0000000005B67000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cnz
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.330362028.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 0000000F.00000000.316671287.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 0000000F.00000000.323791694.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 0000000F.00000002.520060888.0000000002F91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.2d5db1c.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 15.2.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.3e3b418.3.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.3e3b418.3.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.3e051f8.2.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.3e051f8.2.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0000000F.00000002.520060888.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe PID: 6596, type: MEMORYSTR Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
.NET source code contains very large array initializations
Source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bBFA140DAu002dEEE9u002d48A1u002dB952u002d75AF62DA51D4u007d/AA0AC562u002d74C9u002d4813u002d86CEu002dAE2C00050603.cs Large array initialization: .cctor: array initializer size 11956
Uses 32bit PE files
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Yara signature match
Source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.2d5db1c.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 15.2.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.3e3b418.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.3e3b418.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.3e051f8.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.3e051f8.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0000000F.00000002.520060888.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe PID: 6596, type: MEMORYSTR Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Detected potential crypto function
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 0_2_013B75F0 0_2_013B75F0
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 0_2_013B75EF 0_2_013B75EF
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 0_2_013B783F 0_2_013B783F
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 0_2_013B7D06 0_2_013B7D06
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 0_2_074798F0 0_2_074798F0
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 0_2_07470040 0_2_07470040
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 0_2_07470027 0_2_07470027
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 0_2_0747003B 0_2_0747003B
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 15_2_052E47A0 15_2_052E47A0
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 15_2_052E4710 15_2_052E4710
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 15_2_052E4790 15_2_052E4790
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 15_2_052E46B0 15_2_052E46B0
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 15_2_06246508 15_2_06246508
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 15_2_062490D8 15_2_062490D8
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 15_2_06247120 15_2_06247120
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 15_2_06246850 15_2_06246850
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.333838504.0000000007C80000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameUI.dllF vs Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.329570951.0000000002D11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.329570951.0000000002D11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSafeSerializationManager.dll: vs Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.329570951.0000000002D11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamegjIgjaWlvfkrRhCfyZyuqtOC.exe4 vs Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.330362028.0000000003D19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamegjIgjaWlvfkrRhCfyZyuqtOC.exe4 vs Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.330362028.0000000003D19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUI.dllF vs Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.327804684.0000000000978000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameTypeEnt.exe4 vs Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 0000000F.00000000.324706981.0000000000A38000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameTypeEnt.exe4 vs Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 0000000F.00000000.323791694.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenamegjIgjaWlvfkrRhCfyZyuqtOC.exe4 vs Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 0000000F.00000002.519668413.000000000114A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Binary or memory string: OriginalFilenameTypeEnt.exe4 vs Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe ReversingLabs: Detection: 30%
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe File read: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe:Zone.Identifier Jump to behavior
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe "C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe"
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process created: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process created: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4g24fjq2.2lp.ps1 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/5@0/0
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Mutant created: \Sessions\1\BaseNamedObjects\uQEWLYAAlg
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6800:120:WilError_01
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, Oz/uB.cs Cryptographic APIs: 'CreateDecryptor'
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, Oz/uB.cs Cryptographic APIs: 'CreateDecryptor'
Source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.4.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.4.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: TypeEnt.pdb source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, wx/M7.cs .Net Code: ody System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
.NET source code contains method to dynamically call methods (often used by packers)
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, Oz/uB.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 0_2_0747A618 push es; retf 0_2_0747A5BF
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 0_2_0747953B push edx; iretd 0_2_07479542
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 0_2_07479539 push ebx; iretd 0_2_0747953A
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 0_2_07479463 push ecx; iretd 0_2_0747946A
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 0_2_07479460 push ecx; iretd 0_2_07479462
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 0_2_074794C0 push ecx; iretd 0_2_074794C2
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 0_2_074793F8 push ecx; iretd 0_2_074793FA
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 0_2_0747725F push eax; iretd 0_2_07477261
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 0_2_074791A0 push eax; iretd 0_2_074791A2
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 15_2_052ED972 push edi; iretd 15_2_052ED974
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 15_2_06248122 push es; ret 15_2_06248130

Persistence and Installation Behavior
barindex
Creates processes with suspicious names
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe File created: \garanti bbva #u00d6deme havalesi dekontu 28012022.exe
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe File created: \garanti bbva #u00d6deme havalesi dekontu 28012022.exe
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe File created: \garanti bbva #u00d6deme havalesi dekontu 28012022.exe Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe File created: \garanti bbva #u00d6deme havalesi dekontu 28012022.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Moves itself to temp directory
Source: c:\users\user\desktop\garanti bbva #u00d6deme havalesi dekontu 28012022.exe File moved: C:\Users\user\AppData\Local\Temp\tmpG701.tmp Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.2d5db1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.329570951.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.329852964.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe PID: 6932, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.329570951.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.329852964.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.329570951.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.329852964.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe TID: 6936 Thread sleep time: -34555s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe TID: 6988 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7056 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7052 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe TID: 6968 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe TID: 6964 Thread sleep count: 2167 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe TID: 6964 Thread sleep count: 7684 > 30 Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5211 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 659 Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Window / User API: threadDelayed 2167 Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Window / User API: threadDelayed 7684 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Thread delayed: delay time: 34555 Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.329852964.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.329852964.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.329852964.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe, 00000000.00000002.329852964.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging
barindex
Enables debug privileges
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Memory written: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe base: 400000 value starts with: 4D5A Jump to behavior
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Process created: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Jump to behavior

Language, Device and Operating System Detection
barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe Code function: 15_2_06245594 GetUserNameW, 15_2_06245594

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.3e3b418.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.3e3b418.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.3e051f8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.3e051f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000000.316671287.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.323791694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.320122355.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.324398989.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.518192631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.330362028.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.520060888.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe PID: 6932, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe PID: 6596, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: 0000000F.00000002.520060888.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe PID: 6596, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.3e3b418.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.3e3b418.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.3e051f8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe.3e051f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000000.316671287.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.323791694.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.320122355.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.324398989.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.518192631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.330362028.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.520060888.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe PID: 6932, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe PID: 6596, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 562448 Sample: Garanti BBVA #U00d6deme hav... Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 20 Found malware configuration 2->20 22 Malicious sample detected (through community Yara rule) 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 11 other signatures 2->26 7 Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe 4 2->7         started        process3 file4 18 Garanti BBVA #U00d...tu 28012022.exe.log, ASCII 7->18 dropped 28 Adds a directory exclusion to Windows Defender 7->28 30 Injects a PE file into a foreign processes 7->30 11 Garanti BBVA #U00d6deme havalesi dekontu 28012022.exe 2 7->11         started        14 powershell.exe 25 7->14         started        signatures5 process6 signatures7 32 Moves itself to temp directory 11->32 16 conhost.exe 14->16         started        process8
No contacted IP infos