Windows Analysis Report
Ziraat Bankasi Swift Mesaji.exe

Antivirus detection for URL or domain

Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44bbf10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.43221b0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.632202833.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.455844055.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.404005637.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.476604607.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.511417797.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.511211883.0000000001380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.633141128.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.634227955.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.510795876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: www.wwohead.com/ah6m/	Avira URL Cloud: Label: malware
Source: http://www.wwohead.com/ah6m/	Avira URL Cloud: Label: malware
Source: http://www.wwohead.com/ah6m/www.51cdfang.com	Avira URL Cloud: Label: malware
Source: http://www.stringm.com/ah6m/	Avira URL Cloud: Label: malware
Source: http://www.stringm.com/ah6m/www.yuh-gal-p.xyz	Avira URL Cloud: Label: malware

Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: control.pdb source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.512357918.0000000001900000.00000040.10000000.00040000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.511820567.0000000001549000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000003.406485483.00000000017EE000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.513084585.0000000001A9F000.00000040.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.512556950.0000000001980000.00000040.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000003.404458480.0000000001647000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000003.512780050.0000000004C95000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000002.644924217.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000002.665198804.0000000004F4F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000003.510727580.0000000004AF3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000003.406485483.00000000017EE000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.513084585.0000000001A9F000.00000040.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.512556950.0000000001980000.00000040.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000003.404458480.0000000001647000.00000004.00000800.00020000.00000000.sdmp, control.exe, control.exe, 0000000B.00000003.512780050.0000000004C95000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000002.644924217.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000002.665198804.0000000004F4F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000003.510727580.0000000004AF3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\FRJeWenFHc\src\obj\x86\Debug\CallingConvent.pdb source: Ziraat Bankasi Swift Mesaji.exe, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000000.401671865.0000000000D72000.00000002.00000001.01000000.00000003.sdmp, control.exe, 0000000B.00000002.666266960.000000000535F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000015.00000000.615015403.00000000069EF000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: control.pdbUGP source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.512357918.0000000001900000.00000040.10000000.00040000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.511820567.0000000001549000.00000004.00000020.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.wwohead.com/ah6m/

Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000004.00000000.463834252.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.442686652.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.411056762.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.498956126.00000000026D0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobY
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.51cdfang.com
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.51cdfang.com/ah6m/
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.51cdfang.com/ah6m/www.theguaranteedadmissions.com
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.51cdfang.comReferer:
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aerialdatainc.com
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aerialdatainc.com/ah6m/
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aerialdatainc.com/ah6m/www.planet-ideam.com
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aerialdatainc.comReferer:
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.alltinyildiz.com
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.alltinyildiz.com/ah6m/
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.alltinyildiz.com/ah6m/www.xiaochunge.top
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.alltinyildiz.comReferer:
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.difan-mobile.com
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.difan-mobile.com/ah6m/
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.difan-mobile.com/ah6m/www.nontradebulkcement.online
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.difan-mobile.comReferer:
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.everythingmandab.com
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.everythingmandab.com/ah6m/
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.everythingmandab.com/ah6m/www.stringm.com
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.everythingmandab.comReferer:
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gabimejia.com
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gabimejia.com/ah6m/
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gabimejia.com/ah6m/www.wwohead.com
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gabimejia.comReferer:
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.glencoreprocurement.com
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.glencoreprocurement.com/ah6m/
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.glencoreprocurement.com/ah6m/www.thesoupproject.net
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.glencoreprocurement.comReferer:
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hummingbirdfeederhat.com
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hummingbirdfeederhat.com/ah6m/
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hummingbirdfeederhat.comReferer:
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nontradebulkcement.online
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nontradebulkcement.online/ah6m/
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nontradebulkcement.online/ah6m/www.hummingbirdfeederhat.com
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nontradebulkcement.onlineReferer:
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.planet-ideam.com
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.planet-ideam.com/ah6m/
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.planet-ideam.com/ah6m/www.glencoreprocurement.com
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.planet-ideam.comReferer:
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.stringm.com
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.stringm.com/ah6m/
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.stringm.com/ah6m/www.yuh-gal-p.xyz
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.stringm.comReferer:
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.theguaranteedadmissions.com
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.theguaranteedadmissions.com/ah6m/
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.theguaranteedadmissions.com/ah6m/www.aerialdatainc.com
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.theguaranteedadmissions.comReferer:
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.thesoupproject.net
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.thesoupproject.net/ah6m/
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.thesoupproject.net/ah6m/www.everythingmandab.com
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.thesoupproject.netReferer:
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.wwohead.com
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.wwohead.com/ah6m/
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.wwohead.com/ah6m/www.51cdfang.com
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.wwohead.comReferer:
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xiaochunge.top
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xiaochunge.top/ah6m/
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xiaochunge.top/ah6m/www.difan-mobile.com
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xiaochunge.topReferer:
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.yuh-gal-p.xyz
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.yuh-gal-p.xyz/ah6m/
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.yuh-gal-p.xyz/ah6m/www.alltinyildiz.com
Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.yuh-gal-p.xyzReferer:
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Ziraat Bankasi Swift Mesaji.exe	String found in binary or memory: https://github.com
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000000.359661923.0000000000EB2000.00000002.00000001.01000000.00000003.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000000.401671865.0000000000D72000.00000002.00000001.01000000.00000003.sdmp, control.exe, 0000000B.00000002.666266960.000000000535F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000015.00000000.615015403.00000000069EF000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/dcoetzee/plants-vs-zombies-user-file-editor

Source: unknown

DNS traffic detected: queries for: www.gabimejia.com

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44bbf10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.43221b0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.632202833.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.455844055.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.404005637.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.476604607.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.511417797.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.511211883.0000000001380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.633141128.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.634227955.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.510795876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44bbf10.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44bbf10.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44bbf10.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.7b70000.9.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.7b70000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.43221b0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.43221b0.7.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.43221b0.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.632202833.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.632202833.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.455844055.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.455844055.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.404005637.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.404005637.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.476604607.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.476604607.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.414265819.0000000007B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000002.00000002.511417797.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.511417797.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.511211883.0000000001380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.511211883.0000000001380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.633141128.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.633141128.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.634227955.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.634227955.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.510795876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.510795876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: explorer.exe PID: 1388, type: MEMORYSTR	Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44bbf10.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44bbf10.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44bbf10.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.7b70000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.7b70000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.43221b0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.43221b0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.43221b0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.632202833.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.632202833.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.455844055.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.455844055.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.404005637.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.404005637.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.476604607.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.476604607.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.414265819.0000000007B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000002.00000002.511417797.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.511417797.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.511211883.0000000001380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.511211883.0000000001380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.633141128.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.633141128.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.634227955.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.634227955.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.510795876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.510795876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: explorer.exe PID: 1388, type: MEMORYSTR	Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 0_2_00EB4714	0_2_00EB4714
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 0_2_0322F071	0_2_0322F071
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 0_2_0322F080	0_2_0322F080
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 0_2_0322D65C	0_2_0322D65C
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_004012FB	2_2_004012FB
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0041D5C2	2_2_0041D5C2
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0041EDE5	2_2_0041EDE5
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00402D87	2_2_00402D87
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00409E4B	2_2_00409E4B
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00409E50	2_2_00409E50
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0041E613	2_2_0041E613
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0041DFB2	2_2_0041DFB2
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00D74714	2_2_00D74714
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6B090	11_2_04E6B090
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F11002	11_2_04F11002
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6841F	11_2_04E6841F
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6D5E0	11_2_04E6D5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E82581	11_2_04E82581
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F21D55	11_2_04F21D55
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E50D20	11_2_04E50D20
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E74120	11_2_04E74120
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E5F900	11_2_04E5F900
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E76E30	11_2_04E76E30
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8EBB0	11_2_04E8EBB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00B92D90	11_2_00B92D90
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00B92D87	11_2_00B92D87
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BAEDE5	11_2_00BAEDE5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BAD5C2	11_2_00BAD5C2
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BAE613	11_2_00BAE613
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00B99E50	11_2_00B99E50
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00B99E4B	11_2_00B99E4B
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BADFB2	11_2_00BADFB2
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00B92FB0	11_2_00B92FB0

Source: C:\Windows\SysWOW64\control.exe

Code function: String function: 04E5B150 appears 32 times

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0041A350 NtCreateFile,	2_2_0041A350
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0041A400 NtReadFile,	2_2_0041A400
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0041A480 NtClose,	2_2_0041A480
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0041A530 NtAllocateVirtualMemory,	2_2_0041A530
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0041A34A NtCreateFile,	2_2_0041A34A
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0041A3FA NtReadFile,	2_2_0041A3FA
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0041A3A4 NtReadFile,	2_2_0041A3A4
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0041A47A NtClose,	2_2_0041A47A
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0041A52A NtAllocateVirtualMemory,	2_2_0041A52A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E99860 NtQuerySystemInformation,LdrInitializeThunk,	11_2_04E99860
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E99840 NtDelayExecution,LdrInitializeThunk,	11_2_04E99840
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E995D0 NtClose,LdrInitializeThunk,	11_2_04E995D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E999A0 NtCreateSection,LdrInitializeThunk,	11_2_04E999A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E99540 NtReadFile,LdrInitializeThunk,	11_2_04E99540
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E99910 NtAdjustPrivilegesToken,LdrInitializeThunk,	11_2_04E99910
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E996E0 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_04E996E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E996D0 NtCreateKey,LdrInitializeThunk,	11_2_04E996D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E99660 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_04E99660
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E99A50 NtCreateFile,LdrInitializeThunk,	11_2_04E99A50
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E99650 NtQueryValueKey,LdrInitializeThunk,	11_2_04E99650
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E99FE0 NtCreateMutant,LdrInitializeThunk,	11_2_04E99FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E99780 NtMapViewOfSection,LdrInitializeThunk,	11_2_04E99780
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E99710 NtQueryInformationToken,LdrInitializeThunk,	11_2_04E99710
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E998F0 NtReadVirtualMemory,	11_2_04E998F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E998A0 NtWriteVirtualMemory,	11_2_04E998A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9B040 NtSuspendThread,	11_2_04E9B040
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E99820 NtEnumerateKey,	11_2_04E99820
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E995F0 NtQueryInformationFile,	11_2_04E995F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E999D0 NtCreateProcessEx,	11_2_04E999D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E99560 NtWriteFile,	11_2_04E99560
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E99950 NtQueueApcThread,	11_2_04E99950
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E99520 NtWaitForSingleObject,	11_2_04E99520
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9AD30 NtSetContextThread,	11_2_04E9AD30
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E99A80 NtOpenDirectoryObject,	11_2_04E99A80
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E99670 NtQueryInformationProcess,	11_2_04E99670
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E99A20 NtResumeThread,	11_2_04E99A20
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E99A00 NtProtectVirtualMemory,	11_2_04E99A00
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E99610 NtEnumerateValueKey,	11_2_04E99610
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E99A10 NtQuerySection,	11_2_04E99A10
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E997A0 NtUnmapViewOfSection,	11_2_04E997A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9A3B0 NtGetContextThread,	11_2_04E9A3B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E99760 NtOpenProcess,	11_2_04E99760
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E99770 NtSetInformationFile,	11_2_04E99770
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9A770 NtOpenThread,	11_2_04E9A770
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E99730 NtQueryVirtualMemory,	11_2_04E99730
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E99B00 NtSetValueKey,	11_2_04E99B00
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9A710 NtOpenProcessToken,	11_2_04E9A710
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BAA350 NtCreateFile,	11_2_00BAA350
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BAA480 NtClose,	11_2_00BAA480
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BAA400 NtReadFile,	11_2_00BAA400
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BAA530 NtAllocateVirtualMemory,	11_2_00BAA530
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BAA3A4 NtReadFile,	11_2_00BAA3A4
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BAA3FA NtReadFile,	11_2_00BAA3FA
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BAA34A NtCreateFile,	11_2_00BAA34A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BAA47A NtClose,	11_2_00BAA47A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BAA52A NtAllocateVirtualMemory,	11_2_00BAA52A

Source: Ziraat Bankasi Swift Mesaji.exe	Binary or memory string: OriginalFilename vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.408614251.0000000003316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCerbera.dll" vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000000.359661923.0000000000EB2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCallingConvent.exe" vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.414265819.0000000007B70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameIVectorView.dllN vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIVectorView.dllN vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe	Binary or memory string: OriginalFilename vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.511820567.0000000001549000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCONTROL.EXEj% vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000000.401671865.0000000000D72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCallingConvent.exe" vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000003.406994742.000000000190D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.511857898.0000000001570000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCONTROL.EXEj% vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000003.404655843.000000000175D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.513084585.0000000001A9F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.513713382.0000000001C2F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Ziraat Bankasi Swift Mesaji.exe
Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.512487847.0000000001905000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCONTROL.EXEj% vs Ziraat Bankasi Swift Mesaji.exe

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Ziraat Bankasi Swift Mesaji.exe

ReversingLabs: Detection: 21%

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ziraat Bankasi Swift Mesaji.exe.log

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/1@2/0

Source: C:\Windows\explorer.exe

File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Source: Ziraat Bankasi Swift Mesaji.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_01

Source: C:\Windows\SysWOW64\control.exe

Process created: C:\Windows\explorer.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Self deletion via cmd or bat file

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Ziraat Bankasi Swift Mesaji.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: control.pdb source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.512357918.0000000001900000.00000040.10000000.00040000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.511820567.0000000001549000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000003.406485483.00000000017EE000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.513084585.0000000001A9F000.00000040.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.512556950.0000000001980000.00000040.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000003.404458480.0000000001647000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000003.512780050.0000000004C95000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000002.644924217.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000002.665198804.0000000004F4F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000003.510727580.0000000004AF3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000003.406485483.00000000017EE000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.513084585.0000000001A9F000.00000040.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.512556950.0000000001980000.00000040.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000003.404458480.0000000001647000.00000004.00000800.00020000.00000000.sdmp, control.exe, control.exe, 0000000B.00000003.512780050.0000000004C95000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000002.644924217.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000002.665198804.0000000004F4F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000003.510727580.0000000004AF3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\FRJeWenFHc\src\obj\x86\Debug\CallingConvent.pdb source: Ziraat Bankasi Swift Mesaji.exe, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000000.401671865.0000000000D72000.00000002.00000001.01000000.00000003.sdmp, control.exe, 0000000B.00000002.666266960.000000000535F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000015.00000000.615015403.00000000069EF000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: control.pdbUGP source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.512357918.0000000001900000.00000040.10000000.00040000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.511820567.0000000001549000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 0_2_0322E2DB push 0000005Dh; retn 0004h	0_2_0322E34D
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_004168D9 push edx; ret	2_2_004168DA
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_004171C1 push esi; iretd	2_2_004171C4
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_004169B5 push esi; iretd	2_2_004169B6
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0041EA1A push 00000052h; ret	2_2_0041EA1E
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0041DBCA push dword ptr [56144B31h]; ret	2_2_0041DCC6
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00417C4D push ds; retf	2_2_00417C4E
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0041D4F2 push eax; ret	2_2_0041D4F8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0041D4FB push eax; ret	2_2_0041D562
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0041D4A5 push eax; ret	2_2_0041D4F8
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0041BCAE push ebx; retf	2_2_0041BCAF
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_0041D55C push eax; ret	2_2_0041D562
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00409D2C push edi; iretd	2_2_00409D2F
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Code function: 2_2_00416598 push ds; iretd	2_2_004165A8
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EAD0D1 push ecx; ret	11_2_04EAD0E4
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BA68D9 push edx; ret	11_2_00BA68DA
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BA69B5 push esi; iretd	11_2_00BA69B6
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BA71C1 push esi; iretd	11_2_00BA71C4
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BAEA1A push 00000052h; ret	11_2_00BAEA1E
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BADBCA push dword ptr [56144B31h]; ret	11_2_00BADCC6
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BABCAE push ebx; retf	11_2_00BABCAF
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BAD4A5 push eax; ret	11_2_00BAD4F8
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BAD4FB push eax; ret	11_2_00BAD562
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BAD4F2 push eax; ret	11_2_00BAD4F8
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BA7C4D push ds; retf	11_2_00BA7C4E
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BA6598 push ds; iretd	11_2_00BA65A8
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00B99D2C push edi; iretd	11_2_00B99D2F
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_00BAD55C push eax; ret	11_2_00BAD562

Source: initial sample

Static PE information: section name: .text entropy: 7.74275900541

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\SysWOW64\control.exe	Process created: /c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
Source: C:\Windows\SysWOW64\control.exe	Process created: /c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.409614207.00000000035C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.407668611.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 6344, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.409614207.00000000035C7000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.407668611.0000000003251000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.409614207.00000000035C7000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.407668611.0000000003251000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 0000000000B99904 second address: 0000000000B9990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 0000000000B99B6E second address: 0000000000B99B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 6424	Thread sleep time: -43731s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 6180	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Code function: 2_2_00409AA0 rdtsc

2_2_00409AA0

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 43731			Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000004.00000000.467434177.0000000006389000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000015.00000000.611695006.00000000060F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.407668611.0000000003251000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000004.00000000.472575552.0000000007C29000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
Source: explorer.exe, 00000015.00000003.624832431.00000000061F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.472575552.0000000007C29000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000015.00000002.666439896.00000000061F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWte%SystemRoot%\system32\mswsock.dll6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.407668611.0000000003251000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000004.00000000.444306306.0000000004150000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}:
Source: explorer.exe, 00000004.00000000.472575552.0000000007C29000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i&
Source: explorer.exe, 00000004.00000000.472836099.0000000007D2A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.472575552.0000000007C29000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00Iy
Source: explorer.exe, 00000015.00000000.605923799.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000c
Source: explorer.exe, 00000015.00000000.605698579.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.{
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.407668611.0000000003251000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.414265819.0000000007B70000.00000004.08000000.00040000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: xLfkRqemuCj72yuiGNb
Source: explorer.exe, 00000004.00000000.426944558.0000000007DC1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
Source: explorer.exe, 00000004.00000000.426543032.0000000007CC2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000v
Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.407668611.0000000003251000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Code function: 2_2_00409AA0 rdtsc

2_2_00409AA0

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F114FB mov eax, dword ptr fs:[00000030h]	11_2_04F114FB
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04ED6CF0 mov eax, dword ptr fs:[00000030h]	11_2_04ED6CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04ED6CF0 mov eax, dword ptr fs:[00000030h]	11_2_04ED6CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04ED6CF0 mov eax, dword ptr fs:[00000030h]	11_2_04ED6CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F28CD6 mov eax, dword ptr fs:[00000030h]	11_2_04F28CD6
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EEB8D0 mov eax, dword ptr fs:[00000030h]	11_2_04EEB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EEB8D0 mov ecx, dword ptr fs:[00000030h]	11_2_04EEB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EEB8D0 mov eax, dword ptr fs:[00000030h]	11_2_04EEB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EEB8D0 mov eax, dword ptr fs:[00000030h]	11_2_04EEB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EEB8D0 mov eax, dword ptr fs:[00000030h]	11_2_04EEB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EEB8D0 mov eax, dword ptr fs:[00000030h]	11_2_04EEB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E990AF mov eax, dword ptr fs:[00000030h]	11_2_04E990AF
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8F0BF mov ecx, dword ptr fs:[00000030h]	11_2_04E8F0BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8F0BF mov eax, dword ptr fs:[00000030h]	11_2_04E8F0BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8F0BF mov eax, dword ptr fs:[00000030h]	11_2_04E8F0BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E59080 mov eax, dword ptr fs:[00000030h]	11_2_04E59080
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04ED3884 mov eax, dword ptr fs:[00000030h]	11_2_04ED3884
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04ED3884 mov eax, dword ptr fs:[00000030h]	11_2_04ED3884
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6849B mov eax, dword ptr fs:[00000030h]	11_2_04E6849B
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F12073 mov eax, dword ptr fs:[00000030h]	11_2_04F12073
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F21074 mov eax, dword ptr fs:[00000030h]	11_2_04F21074
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7746D mov eax, dword ptr fs:[00000030h]	11_2_04E7746D
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8A44B mov eax, dword ptr fs:[00000030h]	11_2_04E8A44B
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E70050 mov eax, dword ptr fs:[00000030h]	11_2_04E70050
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E70050 mov eax, dword ptr fs:[00000030h]	11_2_04E70050
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EEC450 mov eax, dword ptr fs:[00000030h]	11_2_04EEC450
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EEC450 mov eax, dword ptr fs:[00000030h]	11_2_04EEC450
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8BC2C mov eax, dword ptr fs:[00000030h]	11_2_04E8BC2C
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8002D mov eax, dword ptr fs:[00000030h]	11_2_04E8002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8002D mov eax, dword ptr fs:[00000030h]	11_2_04E8002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8002D mov eax, dword ptr fs:[00000030h]	11_2_04E8002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8002D mov eax, dword ptr fs:[00000030h]	11_2_04E8002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8002D mov eax, dword ptr fs:[00000030h]	11_2_04E8002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6B02A mov eax, dword ptr fs:[00000030h]	11_2_04E6B02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6B02A mov eax, dword ptr fs:[00000030h]	11_2_04E6B02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6B02A mov eax, dword ptr fs:[00000030h]	11_2_04E6B02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6B02A mov eax, dword ptr fs:[00000030h]	11_2_04E6B02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F24015 mov eax, dword ptr fs:[00000030h]	11_2_04F24015
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F24015 mov eax, dword ptr fs:[00000030h]	11_2_04F24015
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04ED6C0A mov eax, dword ptr fs:[00000030h]	11_2_04ED6C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04ED6C0A mov eax, dword ptr fs:[00000030h]	11_2_04ED6C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04ED6C0A mov eax, dword ptr fs:[00000030h]	11_2_04ED6C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04ED6C0A mov eax, dword ptr fs:[00000030h]	11_2_04ED6C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]	11_2_04F11C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]	11_2_04F11C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]	11_2_04F11C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]	11_2_04F11C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]	11_2_04F11C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]	11_2_04F11C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]	11_2_04F11C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]	11_2_04F11C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]	11_2_04F11C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]	11_2_04F11C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]	11_2_04F11C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]	11_2_04F11C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]	11_2_04F11C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]	11_2_04F11C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04ED7016 mov eax, dword ptr fs:[00000030h]	11_2_04ED7016
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04ED7016 mov eax, dword ptr fs:[00000030h]	11_2_04ED7016
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04ED7016 mov eax, dword ptr fs:[00000030h]	11_2_04ED7016
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F2740D mov eax, dword ptr fs:[00000030h]	11_2_04F2740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F2740D mov eax, dword ptr fs:[00000030h]	11_2_04F2740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F2740D mov eax, dword ptr fs:[00000030h]	11_2_04F2740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F08DF1 mov eax, dword ptr fs:[00000030h]	11_2_04F08DF1
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E5B1E1 mov eax, dword ptr fs:[00000030h]	11_2_04E5B1E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E5B1E1 mov eax, dword ptr fs:[00000030h]	11_2_04E5B1E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E5B1E1 mov eax, dword ptr fs:[00000030h]	11_2_04E5B1E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE41E8 mov eax, dword ptr fs:[00000030h]	11_2_04EE41E8
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6D5E0 mov eax, dword ptr fs:[00000030h]	11_2_04E6D5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6D5E0 mov eax, dword ptr fs:[00000030h]	11_2_04E6D5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E861A0 mov eax, dword ptr fs:[00000030h]	11_2_04E861A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E861A0 mov eax, dword ptr fs:[00000030h]	11_2_04E861A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E835A1 mov eax, dword ptr fs:[00000030h]	11_2_04E835A1
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04ED69A6 mov eax, dword ptr fs:[00000030h]	11_2_04ED69A6
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04ED51BE mov eax, dword ptr fs:[00000030h]	11_2_04ED51BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04ED51BE mov eax, dword ptr fs:[00000030h]	11_2_04ED51BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04ED51BE mov eax, dword ptr fs:[00000030h]	11_2_04ED51BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04ED51BE mov eax, dword ptr fs:[00000030h]	11_2_04ED51BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E81DB5 mov eax, dword ptr fs:[00000030h]	11_2_04E81DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E81DB5 mov eax, dword ptr fs:[00000030h]	11_2_04E81DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E81DB5 mov eax, dword ptr fs:[00000030h]	11_2_04E81DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7C182 mov eax, dword ptr fs:[00000030h]	11_2_04E7C182
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E82581 mov eax, dword ptr fs:[00000030h]	11_2_04E82581
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E82581 mov eax, dword ptr fs:[00000030h]	11_2_04E82581
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E82581 mov eax, dword ptr fs:[00000030h]	11_2_04E82581
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E82581 mov eax, dword ptr fs:[00000030h]	11_2_04E82581
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8A185 mov eax, dword ptr fs:[00000030h]	11_2_04E8A185
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E52D8A mov eax, dword ptr fs:[00000030h]	11_2_04E52D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E52D8A mov eax, dword ptr fs:[00000030h]	11_2_04E52D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E52D8A mov eax, dword ptr fs:[00000030h]	11_2_04E52D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E52D8A mov eax, dword ptr fs:[00000030h]	11_2_04E52D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E52D8A mov eax, dword ptr fs:[00000030h]	11_2_04E52D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8FD9B mov eax, dword ptr fs:[00000030h]	11_2_04E8FD9B
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8FD9B mov eax, dword ptr fs:[00000030h]	11_2_04E8FD9B
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E82990 mov eax, dword ptr fs:[00000030h]	11_2_04E82990
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E5C962 mov eax, dword ptr fs:[00000030h]	11_2_04E5C962
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7C577 mov eax, dword ptr fs:[00000030h]	11_2_04E7C577
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7C577 mov eax, dword ptr fs:[00000030h]	11_2_04E7C577
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E5B171 mov eax, dword ptr fs:[00000030h]	11_2_04E5B171
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E5B171 mov eax, dword ptr fs:[00000030h]	11_2_04E5B171
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7B944 mov eax, dword ptr fs:[00000030h]	11_2_04E7B944
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7B944 mov eax, dword ptr fs:[00000030h]	11_2_04E7B944
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E93D43 mov eax, dword ptr fs:[00000030h]	11_2_04E93D43
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04ED3540 mov eax, dword ptr fs:[00000030h]	11_2_04ED3540
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E77D50 mov eax, dword ptr fs:[00000030h]	11_2_04E77D50
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F28D34 mov eax, dword ptr fs:[00000030h]	11_2_04F28D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E74120 mov eax, dword ptr fs:[00000030h]	11_2_04E74120
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E74120 mov eax, dword ptr fs:[00000030h]	11_2_04E74120
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E74120 mov eax, dword ptr fs:[00000030h]	11_2_04E74120
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E74120 mov eax, dword ptr fs:[00000030h]	11_2_04E74120
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E74120 mov ecx, dword ptr fs:[00000030h]	11_2_04E74120
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8513A mov eax, dword ptr fs:[00000030h]	11_2_04E8513A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8513A mov eax, dword ptr fs:[00000030h]	11_2_04E8513A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]	11_2_04E63D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]	11_2_04E63D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]	11_2_04E63D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]	11_2_04E63D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]	11_2_04E63D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]	11_2_04E63D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]	11_2_04E63D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]	11_2_04E63D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]	11_2_04E63D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]	11_2_04E63D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]	11_2_04E63D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]	11_2_04E63D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]	11_2_04E63D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E84D3B mov eax, dword ptr fs:[00000030h]	11_2_04E84D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E84D3B mov eax, dword ptr fs:[00000030h]	11_2_04E84D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E84D3B mov eax, dword ptr fs:[00000030h]	11_2_04E84D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E5AD30 mov eax, dword ptr fs:[00000030h]	11_2_04E5AD30
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EDA537 mov eax, dword ptr fs:[00000030h]	11_2_04EDA537
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E59100 mov eax, dword ptr fs:[00000030h]	11_2_04E59100
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E59100 mov eax, dword ptr fs:[00000030h]	11_2_04E59100
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E59100 mov eax, dword ptr fs:[00000030h]	11_2_04E59100
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E676E2 mov eax, dword ptr fs:[00000030h]	11_2_04E676E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E816E0 mov ecx, dword ptr fs:[00000030h]	11_2_04E816E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E82AE4 mov eax, dword ptr fs:[00000030h]	11_2_04E82AE4
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E82ACB mov eax, dword ptr fs:[00000030h]	11_2_04E82ACB
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F28ED6 mov eax, dword ptr fs:[00000030h]	11_2_04F28ED6
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E836CC mov eax, dword ptr fs:[00000030h]	11_2_04E836CC
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E98EC7 mov eax, dword ptr fs:[00000030h]	11_2_04E98EC7
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F0FEC0 mov eax, dword ptr fs:[00000030h]	11_2_04F0FEC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E552A5 mov eax, dword ptr fs:[00000030h]	11_2_04E552A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E552A5 mov eax, dword ptr fs:[00000030h]	11_2_04E552A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E552A5 mov eax, dword ptr fs:[00000030h]	11_2_04E552A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E552A5 mov eax, dword ptr fs:[00000030h]	11_2_04E552A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E552A5 mov eax, dword ptr fs:[00000030h]	11_2_04E552A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04ED46A7 mov eax, dword ptr fs:[00000030h]	11_2_04ED46A7
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6AAB0 mov eax, dword ptr fs:[00000030h]	11_2_04E6AAB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6AAB0 mov eax, dword ptr fs:[00000030h]	11_2_04E6AAB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F20EA5 mov eax, dword ptr fs:[00000030h]	11_2_04F20EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F20EA5 mov eax, dword ptr fs:[00000030h]	11_2_04F20EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F20EA5 mov eax, dword ptr fs:[00000030h]	11_2_04F20EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8FAB0 mov eax, dword ptr fs:[00000030h]	11_2_04E8FAB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EEFE87 mov eax, dword ptr fs:[00000030h]	11_2_04EEFE87
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8D294 mov eax, dword ptr fs:[00000030h]	11_2_04E8D294
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8D294 mov eax, dword ptr fs:[00000030h]	11_2_04E8D294
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6766D mov eax, dword ptr fs:[00000030h]	11_2_04E6766D
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F0B260 mov eax, dword ptr fs:[00000030h]	11_2_04F0B260
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F0B260 mov eax, dword ptr fs:[00000030h]	11_2_04F0B260
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F28A62 mov eax, dword ptr fs:[00000030h]	11_2_04F28A62
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E9927A mov eax, dword ptr fs:[00000030h]	11_2_04E9927A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7AE73 mov eax, dword ptr fs:[00000030h]	11_2_04E7AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7AE73 mov eax, dword ptr fs:[00000030h]	11_2_04E7AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7AE73 mov eax, dword ptr fs:[00000030h]	11_2_04E7AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7AE73 mov eax, dword ptr fs:[00000030h]	11_2_04E7AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7AE73 mov eax, dword ptr fs:[00000030h]	11_2_04E7AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E59240 mov eax, dword ptr fs:[00000030h]	11_2_04E59240
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E59240 mov eax, dword ptr fs:[00000030h]	11_2_04E59240
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E59240 mov eax, dword ptr fs:[00000030h]	11_2_04E59240
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E59240 mov eax, dword ptr fs:[00000030h]	11_2_04E59240
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E67E41 mov eax, dword ptr fs:[00000030h]	11_2_04E67E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E67E41 mov eax, dword ptr fs:[00000030h]	11_2_04E67E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E67E41 mov eax, dword ptr fs:[00000030h]	11_2_04E67E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E67E41 mov eax, dword ptr fs:[00000030h]	11_2_04E67E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E67E41 mov eax, dword ptr fs:[00000030h]	11_2_04E67E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E67E41 mov eax, dword ptr fs:[00000030h]	11_2_04E67E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EE4257 mov eax, dword ptr fs:[00000030h]	11_2_04EE4257
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E5E620 mov eax, dword ptr fs:[00000030h]	11_2_04E5E620
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F0FE3F mov eax, dword ptr fs:[00000030h]	11_2_04F0FE3F
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E5C600 mov eax, dword ptr fs:[00000030h]	11_2_04E5C600
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E5C600 mov eax, dword ptr fs:[00000030h]	11_2_04E5C600
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E5C600 mov eax, dword ptr fs:[00000030h]	11_2_04E5C600
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E88E00 mov eax, dword ptr fs:[00000030h]	11_2_04E88E00
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E68A0A mov eax, dword ptr fs:[00000030h]	11_2_04E68A0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E5AA16 mov eax, dword ptr fs:[00000030h]	11_2_04E5AA16
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E5AA16 mov eax, dword ptr fs:[00000030h]	11_2_04E5AA16
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8A61C mov eax, dword ptr fs:[00000030h]	11_2_04E8A61C
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8A61C mov eax, dword ptr fs:[00000030h]	11_2_04E8A61C
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E73A1C mov eax, dword ptr fs:[00000030h]	11_2_04E73A1C
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E803E2 mov eax, dword ptr fs:[00000030h]	11_2_04E803E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E803E2 mov eax, dword ptr fs:[00000030h]	11_2_04E803E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E803E2 mov eax, dword ptr fs:[00000030h]	11_2_04E803E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E803E2 mov eax, dword ptr fs:[00000030h]	11_2_04E803E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E803E2 mov eax, dword ptr fs:[00000030h]	11_2_04E803E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E803E2 mov eax, dword ptr fs:[00000030h]	11_2_04E803E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E937F5 mov eax, dword ptr fs:[00000030h]	11_2_04E937F5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04ED53CA mov eax, dword ptr fs:[00000030h]	11_2_04ED53CA
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04ED53CA mov eax, dword ptr fs:[00000030h]	11_2_04ED53CA
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F25BA5 mov eax, dword ptr fs:[00000030h]	11_2_04F25BA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E61B8F mov eax, dword ptr fs:[00000030h]	11_2_04E61B8F
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E61B8F mov eax, dword ptr fs:[00000030h]	11_2_04E61B8F
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F0D380 mov ecx, dword ptr fs:[00000030h]	11_2_04F0D380
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E68794 mov eax, dword ptr fs:[00000030h]	11_2_04E68794
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8B390 mov eax, dword ptr fs:[00000030h]	11_2_04E8B390
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04ED7794 mov eax, dword ptr fs:[00000030h]	11_2_04ED7794
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04ED7794 mov eax, dword ptr fs:[00000030h]	11_2_04ED7794
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04ED7794 mov eax, dword ptr fs:[00000030h]	11_2_04ED7794
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F1138A mov eax, dword ptr fs:[00000030h]	11_2_04F1138A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E82397 mov eax, dword ptr fs:[00000030h]	11_2_04E82397
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E5DB60 mov ecx, dword ptr fs:[00000030h]	11_2_04E5DB60
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6FF60 mov eax, dword ptr fs:[00000030h]	11_2_04E6FF60
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E83B7A mov eax, dword ptr fs:[00000030h]	11_2_04E83B7A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E83B7A mov eax, dword ptr fs:[00000030h]	11_2_04E83B7A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F28F6A mov eax, dword ptr fs:[00000030h]	11_2_04F28F6A
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E5DB40 mov eax, dword ptr fs:[00000030h]	11_2_04E5DB40
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E6EF40 mov eax, dword ptr fs:[00000030h]	11_2_04E6EF40
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F28B58 mov eax, dword ptr fs:[00000030h]	11_2_04F28B58
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E5F358 mov eax, dword ptr fs:[00000030h]	11_2_04E5F358
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E54F2E mov eax, dword ptr fs:[00000030h]	11_2_04E54F2E
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E54F2E mov eax, dword ptr fs:[00000030h]	11_2_04E54F2E
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8E730 mov eax, dword ptr fs:[00000030h]	11_2_04E8E730
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8A70E mov eax, dword ptr fs:[00000030h]	11_2_04E8A70E
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E8A70E mov eax, dword ptr fs:[00000030h]	11_2_04E8A70E
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F1131B mov eax, dword ptr fs:[00000030h]	11_2_04F1131B
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04E7F716 mov eax, dword ptr fs:[00000030h]	11_2_04E7F716
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EEFF10 mov eax, dword ptr fs:[00000030h]	11_2_04EEFF10
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04EEFF10 mov eax, dword ptr fs:[00000030h]	11_2_04EEFF10
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F2070D mov eax, dword ptr fs:[00000030h]	11_2_04F2070D
Source: C:\Windows\SysWOW64\control.exe	Code function: 11_2_04F2070D mov eax, dword ptr fs:[00000030h]	11_2_04F2070D

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Code function: 2_2_0040ACE0 LdrLoadDll,

2_2_0040ACE0

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Memory allocated: page read and write | page guard

Sample uses process hollowing technique

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Section unmapped: C:\Windows\SysWOW64\control.exe base address: DF0000

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Memory written: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe base: 400000 value starts with: 4D5A

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread register set: target process: 3808	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Thread register set: target process: 3808	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Thread register set: target process: 3808	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Process created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"			Jump to behavior

Source: explorer.exe, 00000004.00000000.410648421.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.442349668.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.498725435.0000000000D00000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerG
Source: explorer.exe, 00000015.00000002.630848927.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000000.605923799.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman.
Source: explorer.exe, 00000004.00000000.410648421.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.442349668.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.426299406.0000000007C08000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.410648421.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.442349668.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.498725435.0000000000D00000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.410648421.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.442349668.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.498725435.0000000000D00000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000015.00000003.604906517.0000000004639000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.665124479.0000000004639000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000000.610052116.0000000004639000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd(T'
Source: explorer.exe, 00000004.00000000.498187251.0000000000628000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.410150061.0000000000628000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.441801892.0000000000628000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanPV*

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44bbf10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.43221b0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.632202833.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.455844055.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.404005637.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.476604607.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.511417797.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.511211883.0000000001380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.633141128.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.634227955.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.510795876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44bbf10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ziraat Bankasi Swift Mesaji.exe.43221b0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.632202833.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.455844055.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.404005637.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.476604607.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.511417797.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.511211883.0000000001380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.633141128.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.634227955.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.510795876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Shared Modules	Path Interception	512 Process Injection	1 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	11 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	512 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	112 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Ziraat Bankasi Swift Mesaji.exe	22%	ReversingLabs	ByteCode-MSIL.Spyware.Negasteal

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.0.Ziraat Bankasi Swift Mesaji.exe.400000.4.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
dual-a-0001.dc-msedge.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.gabimejia.com	0%	Avira URL Cloud	safe
http://www.thesoupproject.netReferer:	0%	Avira URL Cloud	safe
http://www.51cdfang.com/ah6m/www.theguaranteedadmissions.com	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.yuh-gal-p.xyzReferer:	0%	Avira URL Cloud	safe
http://www.aerialdatainc.com/ah6m/www.planet-ideam.com	0%	Avira URL Cloud	safe
www.wwohead.com/ah6m/	100%	Avira URL Cloud	malware
http://www.glencoreprocurement.comReferer:	0%	Avira URL Cloud	safe
http://www.xiaochunge.top/ah6m/	0%	Avira URL Cloud	safe
http://www.alltinyildiz.com/ah6m/www.xiaochunge.top	0%	Avira URL Cloud	safe
http://www.nontradebulkcement.online/ah6m/	0%	Avira URL Cloud	safe
http://www.wwohead.comReferer:	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.planet-ideam.com	0%	Avira URL Cloud	safe
http://www.theguaranteedadmissions.comReferer:	0%	Avira URL Cloud	safe
http://www.hummingbirdfeederhat.comReferer:	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.alltinyildiz.com	0%	Avira URL Cloud	safe
http://www.gabimejia.com/ah6m/www.wwohead.com	0%	Avira URL Cloud	safe
http://www.planet-ideam.comReferer:	0%	Avira URL Cloud	safe
http://www.aerialdatainc.com/ah6m/	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.thesoupproject.net/ah6m/www.everythingmandab.com	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.nontradebulkcement.onlineReferer:	0%	Avira URL Cloud	safe
http://www.nontradebulkcement.online/ah6m/www.hummingbirdfeederhat.com	0%	Avira URL Cloud	safe
http://www.wwohead.com	0%	Avira URL Cloud	safe
http://www.everythingmandab.com/ah6m/	0%	Avira URL Cloud	safe
http://www.nontradebulkcement.online	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.xiaochunge.topReferer:	0%	Avira URL Cloud	safe
http://www.aerialdatainc.comReferer:	0%	Avira URL Cloud	safe
http://www.planet-ideam.com/ah6m/www.glencoreprocurement.com	0%	Avira URL Cloud	safe
http://www.wwohead.com/ah6m/	100%	Avira URL Cloud	malware
http://www.planet-ideam.com/ah6m/	0%	Avira URL Cloud	safe
http://www.theguaranteedadmissions.com/ah6m/www.aerialdatainc.com	0%	Avira URL Cloud	safe
http://www.51cdfang.com	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.alltinyildiz.com/ah6m/	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.everythingmandab.comReferer:	0%	Avira URL Cloud	safe
http://www.difan-mobile.com/ah6m/www.nontradebulkcement.online	0%	Avira URL Cloud	safe
http://www.aerialdatainc.com	0%	Avira URL Cloud	safe
http://ns.adobY	0%	URL Reputation	safe
http://www.thesoupproject.net/ah6m/	0%	Avira URL Cloud	safe
http://www.hummingbirdfeederhat.com/ah6m/	0%	Avira URL Cloud	safe
http://www.wwohead.com/ah6m/www.51cdfang.com	100%	Avira URL Cloud	malware
http://www.yuh-gal-p.xyz/ah6m/	0%	Avira URL Cloud	safe
http://www.xiaochunge.top/ah6m/www.difan-mobile.com	0%	Avira URL Cloud	safe
http://www.alltinyildiz.comReferer:	0%	Avira URL Cloud	safe
http://www.difan-mobile.com/ah6m/	0%	Avira URL Cloud	safe
http://www.gabimejia.com/ah6m/	0%	Avira URL Cloud	safe
http://www.51cdfang.comReferer:	0%	Avira URL Cloud	safe
http://www.glencoreprocurement.com/ah6m/www.thesoupproject.net	0%	Avira URL Cloud	safe
http://www.yuh-gal-p.xyz	0%	Avira URL Cloud	safe
http://www.difan-mobile.com	0%	Avira URL Cloud	safe
http://www.glencoreprocurement.com/ah6m/	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.everythingmandab.com/ah6m/www.stringm.com	0%	Avira URL Cloud	safe
http://www.theguaranteedadmissions.com/ah6m/	0%	Avira URL Cloud	safe
http://www.51cdfang.com/ah6m/	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.stringm.com/ah6m/	100%	Avira URL Cloud	malware
http://www.hummingbirdfeederhat.com	0%	Avira URL Cloud	safe
http://www.yuh-gal-p.xyz/ah6m/www.alltinyildiz.com	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.stringm.comReferer:	0%	Avira URL Cloud	safe
http://www.difan-mobile.comReferer:	0%	Avira URL Cloud	safe
http://www.theguaranteedadmissions.com	0%	Avira URL Cloud	safe
http://www.gabimejia.comReferer:	0%	Avira URL Cloud	safe
http://www.stringm.com/ah6m/www.yuh-gal-p.xyz	100%	Avira URL Cloud	malware
http://www.everythingmandab.com	0%	Avira URL Cloud	safe
http://www.stringm.com	0%	Avira URL Cloud	safe
http://www.xiaochunge.top	0%	Avira URL Cloud	safe
http://www.glencoreprocurement.com	0%	Avira URL Cloud	safe
http://www.thesoupproject.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dual-a-0001.dc-msedge.net	131.253.33.200	true	false	0%, Virustotal, Browse	unknown
www.gabimejia.com	104.140.60.254	true	false		unknown
www.wwohead.com	172.252.94.104	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.wwohead.com/ah6m/	true	Avira URL Cloud: malware	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.gabimejia.com	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.thesoupproject.netReferer:	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/dcoetzee/plants-vs-zombies-user-file-editor	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000000.359661923.0000000000EB2000.00000002.00000001.01000000.00000003.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000000.401671865.0000000000D72000.00000002.00000001.01000000.00000003.sdmp, control.exe, 0000000B.00000002.666266960.000000000535F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000015.00000000.615015403.00000000069EF000.00000004.80000000.00040000.00000000.sdmp	false		high
http://www.51cdfang.com/ah6m/www.theguaranteedadmissions.com	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.yuh-gal-p.xyzReferer:	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aerialdatainc.com/ah6m/www.planet-ideam.com	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.glencoreprocurement.comReferer:	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xiaochunge.top/ah6m/	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com	Ziraat Bankasi Swift Mesaji.exe	false		high
http://www.alltinyildiz.com/ah6m/www.xiaochunge.top	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nontradebulkcement.online/ah6m/	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wwohead.comReferer:	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.planet-ideam.com	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.theguaranteedadmissions.comReferer:	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hummingbirdfeederhat.comReferer:	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.alltinyildiz.com	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gabimejia.com/ah6m/www.wwohead.com	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.planet-ideam.comReferer:	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aerialdatainc.com/ah6m/	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.thesoupproject.net/ah6m/www.everythingmandab.com	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.nontradebulkcement.onlineReferer:	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nontradebulkcement.online/ah6m/www.hummingbirdfeederhat.com	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wwohead.com	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.everythingmandab.com/ah6m/	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nontradebulkcement.online	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.xiaochunge.topReferer:	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aerialdatainc.comReferer:	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.planet-ideam.com/ah6m/www.glencoreprocurement.com	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wwohead.com/ah6m/	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.planet-ideam.com/ah6m/	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.theguaranteedadmissions.com/ah6m/www.aerialdatainc.com	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.51cdfang.com	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.alltinyildiz.com/ah6m/	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.everythingmandab.comReferer:	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.difan-mobile.com/ah6m/www.nontradebulkcement.online	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.aerialdatainc.com	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ns.adobY	explorer.exe, 00000004.00000000.463834252.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.442686652.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.411056762.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.498956126.00000000026D0000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.thesoupproject.net/ah6m/	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hummingbirdfeederhat.com/ah6m/	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wwohead.com/ah6m/www.51cdfang.com	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.yuh-gal-p.xyz/ah6m/	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xiaochunge.top/ah6m/www.difan-mobile.com	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.alltinyildiz.comReferer:	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.difan-mobile.com/ah6m/	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gabimejia.com/ah6m/	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.51cdfang.comReferer:	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.glencoreprocurement.com/ah6m/www.thesoupproject.net	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yuh-gal-p.xyz	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.difan-mobile.com	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.glencoreprocurement.com/ah6m/	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.everythingmandab.com/ah6m/www.stringm.com	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.theguaranteedadmissions.com/ah6m/	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.51cdfang.com/ah6m/	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.stringm.com/ah6m/	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.hummingbirdfeederhat.com	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yuh-gal-p.xyz/ah6m/www.alltinyildiz.com	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.stringm.comReferer:	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.difan-mobile.comReferer:	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.theguaranteedadmissions.com	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.gabimejia.comReferer:	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.stringm.com/ah6m/www.yuh-gal-p.xyz	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.everythingmandab.com	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.stringm.com	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xiaochunge.top	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.glencoreprocurement.com	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thesoupproject.net	explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	635281
Start date and time: 27/05/202218:22:08	2022-05-27 18:22:08 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Ziraat Bankasi Swift Mesaji.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/1@2/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 60.9% (good quality ratio 54.3%) Quality average: 69.5% Quality standard deviation: 32.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 78 Number of non-executed functions: 115
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SearchUI.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, ShellExperienceHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.54.89.106, 40.125.122.176, 52.152.110.14, 20.223.24.244
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, settings-win.data.microsoft.com, arc.msn.com, a-0001.a-afdentry.net.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:23:37	API Interceptor	2x Sleep call for process: Ziraat Bankasi Swift Mesaji.exe modified
18:25:16	API Interceptor	44x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
dual-a-0001.dc-msedge.net	szLAUZKesq.exe	Get hash	malicious	Browse	131.253.33.200
	http://australianmorningnews.com/	Get hash	malicious	Browse	131.253.33.200
	zJ76cv6IC8.exe	Get hash	malicious	Browse	131.253.33.200
	SecuriteInfo.com.Variant.Tedy.122593.12781.exe	Get hash	malicious	Browse	131.253.33.200
	INVOICE.exe	Get hash	malicious	Browse	13.107.22.200
	triage_dropped_file.exe	Get hash	malicious	Browse	131.253.33.200
	vbc.exe	Get hash	malicious	Browse	131.253.33.200
	REQUEST FOR OFFER 25-05-2022#U00b7pdf.exe	Get hash	malicious	Browse	131.253.33.200
	DHL Global_Inv.exe	Get hash	malicious	Browse	131.253.33.200
	Shipping Docments_0009228888.PDF.exe	Get hash	malicious	Browse	131.253.33.200
	011382843.exe	Get hash	malicious	Browse	131.253.33.200
	zN7UCkDmIC.exe	Get hash	malicious	Browse	131.253.33.200
	Purchase Order (Ref M050417).docx	Get hash	malicious	Browse	131.253.33.200
	RFQ - Offer for Attached Specs.exe	Get hash	malicious	Browse	131.253.33.200
	SecuriteInfo.com.W32.AIDetectNet.01.25717.exe	Get hash	malicious	Browse	131.253.33.200
	files.exe	Get hash	malicious	Browse	131.253.33.200
	recepit Swift copy from JCORP TRADING PTY LTD MT103_pdf.exe	Get hash	malicious	Browse	131.253.33.200
	SecuriteInfo.com.W32.AIDetectNet.01.637.exe	Get hash	malicious	Browse	131.253.33.200
	PaymentRequest_Invoice229182.docx	Get hash	malicious	Browse	131.253.33.200
	Product Inquiry.exe	Get hash	malicious	Browse	131.253.33.200

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ziraat Bankasi Swift Mesaji.exe.log

Download File

Process:	C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.744489165365895
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Ziraat Bankasi Swift Mesaji.exe
File size:	716288
MD5:	d891e26c0707977398e963d6076eeae1
SHA1:	039457a2c4d73c24ef410a7665a04e9d456019e7
SHA256:	2979a77144d0df70f4dff084420d8e034eb6f751027fa44d158de924960f2a6a
SHA512:	f75a0274621ee095f30d01b83a0d07d02974e6876384f4a99d1d818862d09781e600352479fc845a7c3e2cd885ac344d58742dd9b44e322966d710a59188740b
SSDEEP:	12288:O092x9bHoAUOvqVpleUE0q8cf7qb4dHDn8LaRASedck6Q:nUfbHodlC0qj7qcdHDn8La+SCchQ
TLSH:	4EE4F10072F81B22E2BA67FE6578A18403B67D946520E34E5DC278DB3B71F918E45F1B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....y.b..............0......Z........... ........@.. .......................@............@................................

File Icon


Icon Hash:	4462f276dcec30e6

Static PE Info

General

Entrypoint:	0x4ab1da
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x629079C1 [Fri May 27 07:12:01 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xab188	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xac000	0x57cc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xab050	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa91e0	0xa9200	False	0.860052025591	data	7.74275900541	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xac000	0x57cc	0x5800	False	0.964577414773	data	7.89168206066	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb2000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xac100	0x51a3	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0xb12b4	0x14	data
RT_VERSION	0xb12d8	0x2f4	data
RT_MANIFEST	0xb15dc	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright
Assembly Version	1.0.0.0
InternalName	CallingConvent.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName
ProductVersion	1.0.0.0
FileDescription
OriginalFilename	CallingConvent.exe

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2022 18:25:36.139713049 CEST	62843	53	192.168.2.7	8.8.8.8
May 27, 2022 18:25:36.309185982 CEST	53	62843	8.8.8.8	192.168.2.7
May 27, 2022 18:25:53.158830881 CEST	49495	53	192.168.2.7	8.8.8.8
May 27, 2022 18:25:53.581492901 CEST	53	49495	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 27, 2022 18:25:36.139713049 CEST	192.168.2.7	8.8.8.8	0xd167	Standard query (0)	www.gabimejia.com	A (IP address)	IN (0x0001)
May 27, 2022 18:25:53.158830881 CEST	192.168.2.7	8.8.8.8	0x98d2	Standard query (0)	www.wwohead.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 27, 2022 18:25:31.742157936 CEST	8.8.8.8	192.168.2.7	0x7a1c	No error (0)	www-bing-com.dual-a-0001.a-msedge.net	dual-a-0001.dc-msedge.net		CNAME (Canonical name)	IN (0x0001)
May 27, 2022 18:25:31.742157936 CEST	8.8.8.8	192.168.2.7	0x7a1c	No error (0)	dual-a-0001.dc-msedge.net		131.253.33.200	A (IP address)	IN (0x0001)
May 27, 2022 18:25:31.742157936 CEST	8.8.8.8	192.168.2.7	0x7a1c	No error (0)	dual-a-0001.dc-msedge.net		13.107.22.200	A (IP address)	IN (0x0001)
May 27, 2022 18:25:36.309185982 CEST	8.8.8.8	192.168.2.7	0xd167	No error (0)	www.gabimejia.com		104.140.60.254	A (IP address)	IN (0x0001)
May 27, 2022 18:25:53.581492901 CEST	8.8.8.8	192.168.2.7	0x98d2	No error (0)	www.wwohead.com		172.252.94.104	A (IP address)	IN (0x0001)

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Ziraat Bankasi Swift Mesaji.exePID: 6344, Parent PID: 2312

General

Target ID:	0
Start time:	18:23:24
Start date:	27/05/2022
Path:	C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
Imagebase:	0xeb0000
File size:	716288 bytes
MD5 hash:	D891E26C0707977398E963D6076EEAE1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.409614207.00000000035C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.414265819.0000000007B70000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.407668611.0000000003251000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: Ziraat Bankasi Swift Mesaji.exePID: 6572, Parent PID: 6344

General

Target ID:	2
Start time:	18:23:43
Start date:	27/05/2022
Path:	C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
Imagebase:	0xd70000
File size:	716288 bytes
MD5 hash:	D891E26C0707977398E963D6076EEAE1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.404005637.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.404005637.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.404005637.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.511417797.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.511417797.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.511417797.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.511211883.0000000001380000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.511211883.0000000001380000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.511211883.0000000001380000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.510795876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.510795876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.510795876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exePID: 3808, Parent PID: 6572

General

Target ID:	4
Start time:	18:23:48
Start date:	27/05/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff631f70000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.455844055.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.455844055.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.455844055.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.476604607.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.476604607.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.476604607.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: control.exePID: 4708, Parent PID: 3808

General

Target ID:	11
Start time:	18:24:30
Start date:	27/05/2022
Path:	C:\Windows\SysWOW64\control.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\control.exe
Imagebase:	0xdf0000
File size:	114688 bytes
MD5 hash:	40FBA3FBFD5E33E0DE1BA45472FDA66F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.632202833.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.632202833.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.632202833.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.633141128.0000000003390000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.633141128.0000000003390000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.633141128.0000000003390000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.634227955.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.634227955.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.634227955.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exePID: 3736, Parent PID: 4708

General

Target ID:	12
Start time:	18:24:36
Start date:	27/05/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
Imagebase:	0xdd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exePID: 6152, Parent PID: 3736

General

Target ID:	13
Start time:	18:24:38
Start date:	27/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7bab80000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: explorer.exePID: 1388, Parent PID: 564

General

Target ID:	21
Start time:	18:25:15
Start date:	27/05/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe
Imagebase:	0x7ff631f70000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high