Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ziraat Bankasi Swift Mesaji.exe

Overview

General Information

Sample Name:Ziraat Bankasi Swift Mesaji.exe
Analysis ID:635281
MD5:d891e26c0707977398e963d6076eeae1
SHA1:039457a2c4d73c24ef410a7665a04e9d456019e7
SHA256:2979a77144d0df70f4dff084420d8e034eb6f751027fa44d158de924960f2a6a
Tags:exeFormbookgeoTURZiraatBank
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Self deletion via cmd or bat file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Ziraat Bankasi Swift Mesaji.exe (PID: 6344 cmdline: "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe" MD5: D891E26C0707977398E963D6076EEAE1)
    • Ziraat Bankasi Swift Mesaji.exe (PID: 6572 cmdline: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe MD5: D891E26C0707977398E963D6076EEAE1)
      • explorer.exe (PID: 3808 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 4708 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 3736 cmdline: /c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • explorer.exe (PID: 1388 cmdline: explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.wwohead.com/ah6m/"], "decoy": ["saudeybeleza.com", "ethereumtiger.business", "thesoupproject.net", "cedarwoodtownhomesnp.com", "gyascool.com", "gosourcecap.com", "womeninnetworking.net", "nahade-gostar.com", "dcman900.com", "mirrorparcel.com", "lamowlettu.xyz", "glencoreprocurement.com", "codsini.com", "thripear.space", "movierepository.com", "51cdfang.com", "hananiabeauty.store", "mortgagemanuas.com", "remotingpeople.com", "myimpressivefashion.com", "northhamptonapartments.com", "lostinsmokemint.xyz", "sebhbr.xyz", "hummingbirdfeederhat.com", "maplebakers.com", "unwrapmelingerie.com", "felipekamakura.com", "stringm.com", "ukgdimensions.red", "shopofplaythings.com", "jinlebao.com", "alenapolozkova.com", "aerialdatainc.com", "metaverseiop.com", "yuh-gal-p.xyz", "thebluejaybuilder.com", "my-mallorca.estate", "experteee.com", "difan-mobile.com", "postalhistoryworld.com", "codifyrear.xyz", "cankiribelediyespor.net", "alizandracloset.com", "everythingmandab.com", "africabet365.bet", "ww223343.com", "xpresslinkshippement.com", "xiaochunge.top", "parkerbeautyfragrance.com", "makerthejackets.com", "souldig.xyz", "irstaxbenfits.com", "audiopilot.xyz", "theguaranteedadmissions.com", "nontradebulkcement.online", "alltinyildiz.com", "celestialtherapy.net", "11milliondreams.com", "matadorbet182.com", "gabimejia.com", "planet-ideam.com", "os00hpaeo4hu726fp.life", "etudier-medecine-roumanie.com", "zilong88.top"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18839:$sqlite3step: 68 34 1C 7B E1
    • 0x1894c:$sqlite3step: 68 34 1C 7B E1
    • 0x18868:$sqlite3text: 68 38 2A 90 C5
    • 0x1898d:$sqlite3text: 68 38 2A 90 C5
    • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
    0000000B.00000002.632202833.0000000000B90000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000B.00000002.632202833.0000000000B90000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 33 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
      • 0x4f7eb:$s1: file:///
      • 0x4f6fb:$s2: {11111-22222-10009-11112}
      • 0x4f77b:$s3: {11111-22222-50001-00000}
      • 0x4cc15:$s4: get_Module
      • 0x4d05b:$s5: Reverse
      • 0x4f02a:$s6: BlockCopy
      • 0x4ee6e:$s7: ReadByte
      • 0x4f7fd:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
      0.2.Ziraat Bankasi Swift Mesaji.exe.44bbf10.6.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.Ziraat Bankasi Swift Mesaji.exe.44bbf10.6.raw.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
        • 0x80d9b:$s1: file:///
        • 0x80cab:$s2: {11111-22222-10009-11112}
        • 0x80d2b:$s3: {11111-22222-50001-00000}
        • 0x7e1c5:$s4: get_Module
        • 0x7e60b:$s5: Reverse
        • 0x805da:$s6: BlockCopy
        • 0x8041e:$s7: ReadByte
        • 0x80dad:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
        0.2.Ziraat Bankasi Swift Mesaji.exe.44bbf10.6.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0xc2ed8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0xc3142:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0xcec75:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0xce761:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0xced77:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0xceeef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xc3b5a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0xcd9dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xc4853:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0xd4ee7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0xd5eea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.Ziraat Bankasi Swift Mesaji.exe.44bbf10.6.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0xd1e09:$sqlite3step: 68 34 1C 7B E1
        • 0xd1f1c:$sqlite3step: 68 34 1C 7B E1
        • 0xd1e38:$sqlite3text: 68 38 2A 90 C5
        • 0xd1f5d:$sqlite3text: 68 38 2A 90 C5
        • 0xd1e4b:$sqlite3blob: 68 53 D8 7F 8C
        • 0xd1f73:$sqlite3blob: 68 53 D8 7F 8C
        Click to see the 31 entries

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Found malware configuration
        Source: 00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.wwohead.com/ah6m/"], "decoy": ["saudeybeleza.com", "ethereumtiger.business", "thesoupproject.net", "cedarwoodtownhomesnp.com", "gyascool.com", "gosourcecap.com", "womeninnetworking.net", "nahade-gostar.com", "dcman900.com", "mirrorparcel.com", "lamowlettu.xyz", "glencoreprocurement.com", "codsini.com", "thripear.space", "movierepository.com", "51cdfang.com", "hananiabeauty.store", "mortgagemanuas.com", "remotingpeople.com", "myimpressivefashion.com", "northhamptonapartments.com", "lostinsmokemint.xyz", "sebhbr.xyz", "hummingbirdfeederhat.com", "maplebakers.com", "unwrapmelingerie.com", "felipekamakura.com", "stringm.com", "ukgdimensions.red", "shopofplaythings.com", "jinlebao.com", "alenapolozkova.com", "aerialdatainc.com", "metaverseiop.com", "yuh-gal-p.xyz", "thebluejaybuilder.com", "my-mallorca.estate", "experteee.com", "difan-mobile.com", "postalhistoryworld.com", "codifyrear.xyz", "cankiribelediyespor.net", "alizandracloset.com", "everythingmandab.com", "africabet365.bet", "ww223343.com", "xpresslinkshippement.com", "xiaochunge.top", "parkerbeautyfragrance.com", "makerthejackets.com", "souldig.xyz", "irstaxbenfits.com", "audiopilot.xyz", "theguaranteedadmissions.com", "nontradebulkcement.online", "alltinyildiz.com", "celestialtherapy.net", "11milliondreams.com", "matadorbet182.com", "gabimejia.com", "planet-ideam.com", "os00hpaeo4hu726fp.life", "etudier-medecine-roumanie.com", "zilong88.top"]}
        Multi AV Scanner detection for submitted file
        Source: Ziraat Bankasi Swift Mesaji.exeReversingLabs: Detection: 21%
        Yara detected FormBook
        Source: Yara matchFile source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44bbf10.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Ziraat Bankasi Swift Mesaji.exe.43221b0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.632202833.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.455844055.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.404005637.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.476604607.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.511417797.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.511211883.0000000001380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.633141128.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.634227955.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.510795876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Antivirus detection for URL or domain
        Source: www.wwohead.com/ah6m/Avira URL Cloud: Label: malware
        Source: http://www.wwohead.com/ah6m/Avira URL Cloud: Label: malware
        Source: http://www.wwohead.com/ah6m/www.51cdfang.comAvira URL Cloud: Label: malware
        Source: http://www.stringm.com/ah6m/Avira URL Cloud: Label: malware
        Source: http://www.stringm.com/ah6m/www.yuh-gal-p.xyzAvira URL Cloud: Label: malware
        Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: Ziraat Bankasi Swift Mesaji.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: Ziraat Bankasi Swift Mesaji.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: control.pdb source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.512357918.0000000001900000.00000040.10000000.00040000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.511820567.0000000001549000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdbUGP source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000003.406485483.00000000017EE000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.513084585.0000000001A9F000.00000040.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.512556950.0000000001980000.00000040.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000003.404458480.0000000001647000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000003.512780050.0000000004C95000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000002.644924217.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000002.665198804.0000000004F4F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000003.510727580.0000000004AF3000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000003.406485483.00000000017EE000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.513084585.0000000001A9F000.00000040.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.512556950.0000000001980000.00000040.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000003.404458480.0000000001647000.00000004.00000800.00020000.00000000.sdmp, control.exe, control.exe, 0000000B.00000003.512780050.0000000004C95000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000002.644924217.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000002.665198804.0000000004F4F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000003.510727580.0000000004AF3000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\FRJeWenFHc\src\obj\x86\Debug\CallingConvent.pdb source: Ziraat Bankasi Swift Mesaji.exe, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000000.401671865.0000000000D72000.00000002.00000001.01000000.00000003.sdmp, control.exe, 0000000B.00000002.666266960.000000000535F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000015.00000000.615015403.00000000069EF000.00000004.80000000.00040000.00000000.sdmp
        Source: Binary string: control.pdbUGP source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.512357918.0000000001900000.00000040.10000000.00040000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.511820567.0000000001549000.00000004.00000020.00020000.00000000.sdmp

        Networking

        barindex
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: www.wwohead.com/ah6m/
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
        Source: explorer.exe, 00000004.00000000.463834252.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.442686652.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.411056762.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.498956126.00000000026D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobY
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.51cdfang.com
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.51cdfang.com/ah6m/
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.51cdfang.com/ah6m/www.theguaranteedadmissions.com
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.51cdfang.comReferer:
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.aerialdatainc.com
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.aerialdatainc.com/ah6m/
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.aerialdatainc.com/ah6m/www.planet-ideam.com
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.aerialdatainc.comReferer:
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.alltinyildiz.com
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.alltinyildiz.com/ah6m/
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.alltinyildiz.com/ah6m/www.xiaochunge.top
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.alltinyildiz.comReferer:
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.difan-mobile.com
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.difan-mobile.com/ah6m/
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.difan-mobile.com/ah6m/www.nontradebulkcement.online
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.difan-mobile.comReferer:
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.everythingmandab.com
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.everythingmandab.com/ah6m/
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.everythingmandab.com/ah6m/www.stringm.com
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.everythingmandab.comReferer:
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gabimejia.com
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gabimejia.com/ah6m/
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gabimejia.com/ah6m/www.wwohead.com
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gabimejia.comReferer:
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.glencoreprocurement.com
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.glencoreprocurement.com/ah6m/
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.glencoreprocurement.com/ah6m/www.thesoupproject.net
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.glencoreprocurement.comReferer:
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hummingbirdfeederhat.com
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hummingbirdfeederhat.com/ah6m/
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hummingbirdfeederhat.comReferer:
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nontradebulkcement.online
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nontradebulkcement.online/ah6m/
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nontradebulkcement.online/ah6m/www.hummingbirdfeederhat.com
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nontradebulkcement.onlineReferer:
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.planet-ideam.com
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.planet-ideam.com/ah6m/
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.planet-ideam.com/ah6m/www.glencoreprocurement.com
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.planet-ideam.comReferer:
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.stringm.com
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.stringm.com/ah6m/
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.stringm.com/ah6m/www.yuh-gal-p.xyz
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.stringm.comReferer:
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.theguaranteedadmissions.com
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.theguaranteedadmissions.com/ah6m/
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.theguaranteedadmissions.com/ah6m/www.aerialdatainc.com
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.theguaranteedadmissions.comReferer:
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.thesoupproject.net
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.thesoupproject.net/ah6m/
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.thesoupproject.net/ah6m/www.everythingmandab.com
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.thesoupproject.netReferer:
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.wwohead.com
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.wwohead.com/ah6m/
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.wwohead.com/ah6m/www.51cdfang.com
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.wwohead.comReferer:
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.xiaochunge.top
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.xiaochunge.top/ah6m/
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.xiaochunge.top/ah6m/www.difan-mobile.com
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.xiaochunge.topReferer:
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.yuh-gal-p.xyz
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.yuh-gal-p.xyz/ah6m/
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.yuh-gal-p.xyz/ah6m/www.alltinyildiz.com
        Source: explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.yuh-gal-p.xyzReferer:
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: Ziraat Bankasi Swift Mesaji.exeString found in binary or memory: https://github.com
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000000.359661923.0000000000EB2000.00000002.00000001.01000000.00000003.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000000.401671865.0000000000D72000.00000002.00000001.01000000.00000003.sdmp, control.exe, 0000000B.00000002.666266960.000000000535F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000015.00000000.615015403.00000000069EF000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/dcoetzee/plants-vs-zombies-user-file-editor
        Source: unknownDNS traffic detected: queries for: www.gabimejia.com

        E-Banking Fraud

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44bbf10.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Ziraat Bankasi Swift Mesaji.exe.43221b0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.632202833.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.455844055.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.404005637.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.476604607.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.511417797.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.511211883.0000000001380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.633141128.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.634227955.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.510795876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
        Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44bbf10.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
        Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44bbf10.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44bbf10.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
        Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.7b70000.9.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
        Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.7b70000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
        Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.43221b0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
        Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.43221b0.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.43221b0.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000B.00000002.632202833.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000B.00000002.632202833.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000004.00000000.455844055.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000004.00000000.455844055.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000002.00000000.404005637.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000002.00000000.404005637.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000004.00000000.476604607.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000004.00000000.476604607.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000002.414265819.0000000007B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
        Source: 00000002.00000002.511417797.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000002.00000002.511417797.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000002.00000002.511211883.0000000001380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000002.00000002.511211883.0000000001380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000B.00000002.633141128.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000B.00000002.633141128.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000B.00000002.634227955.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000B.00000002.634227955.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000002.00000002.510795876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000002.00000002.510795876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: Process Memory Space: explorer.exe PID: 1388, type: MEMORYSTRMatched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
        Source: Ziraat Bankasi Swift Mesaji.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44bbf10.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44bbf10.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44bbf10.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.7b70000.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.7b70000.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.43221b0.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.43221b0.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0.2.Ziraat Bankasi Swift Mesaji.exe.43221b0.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0000000B.00000002.632202833.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000B.00000002.632202833.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000004.00000000.455844055.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000004.00000000.455844055.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000002.00000000.404005637.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000002.00000000.404005637.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000004.00000000.476604607.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000004.00000000.476604607.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000002.414265819.0000000007B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 00000002.00000002.511417797.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000002.00000002.511417797.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000002.00000002.511211883.0000000001380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000002.00000002.511211883.0000000001380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0000000B.00000002.633141128.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000B.00000002.633141128.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0000000B.00000002.634227955.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000B.00000002.634227955.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000002.00000002.510795876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000002.00000002.510795876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: Process Memory Space: explorer.exe PID: 1388, type: MEMORYSTRMatched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_00EB4714
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_0322F071
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_0322F080
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_0322D65C
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_00401030
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_004012FB
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_0041D5C2
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_0041EDE5
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_00402D87
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_00402D90
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_00409E4B
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_00409E50
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_0041E613
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_00402FB0
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_0041DFB2
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_00D74714
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E6B090
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F11002
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E6841F
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E6D5E0
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E82581
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F21D55
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E50D20
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E74120
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E5F900
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E76E30
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8EBB0
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00B92D90
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00B92D87
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BAEDE5
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BAD5C2
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BAE613
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00B99E50
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00B99E4B
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BADFB2
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00B92FB0
        Source: C:\Windows\SysWOW64\control.exeCode function: String function: 04E5B150 appears 32 times
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_0041A350 NtCreateFile,
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_0041A400 NtReadFile,
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_0041A480 NtClose,
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_0041A530 NtAllocateVirtualMemory,
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_0041A34A NtCreateFile,
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_0041A3FA NtReadFile,
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_0041A3A4 NtReadFile,
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_0041A47A NtClose,
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_0041A52A NtAllocateVirtualMemory,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E99860 NtQuerySystemInformation,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E99840 NtDelayExecution,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E995D0 NtClose,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E999A0 NtCreateSection,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E99540 NtReadFile,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E99910 NtAdjustPrivilegesToken,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E996E0 NtFreeVirtualMemory,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E996D0 NtCreateKey,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E99660 NtAllocateVirtualMemory,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E99A50 NtCreateFile,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E99650 NtQueryValueKey,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E99FE0 NtCreateMutant,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E99780 NtMapViewOfSection,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E99710 NtQueryInformationToken,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E998F0 NtReadVirtualMemory,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E998A0 NtWriteVirtualMemory,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E9B040 NtSuspendThread,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E99820 NtEnumerateKey,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E995F0 NtQueryInformationFile,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E999D0 NtCreateProcessEx,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E99560 NtWriteFile,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E99950 NtQueueApcThread,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E99520 NtWaitForSingleObject,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E9AD30 NtSetContextThread,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E99A80 NtOpenDirectoryObject,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E99670 NtQueryInformationProcess,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E99A20 NtResumeThread,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E99A00 NtProtectVirtualMemory,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E99610 NtEnumerateValueKey,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E99A10 NtQuerySection,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E997A0 NtUnmapViewOfSection,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E9A3B0 NtGetContextThread,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E99760 NtOpenProcess,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E99770 NtSetInformationFile,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E9A770 NtOpenThread,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E99730 NtQueryVirtualMemory,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E99B00 NtSetValueKey,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E9A710 NtOpenProcessToken,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BAA350 NtCreateFile,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BAA480 NtClose,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BAA400 NtReadFile,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BAA530 NtAllocateVirtualMemory,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BAA3A4 NtReadFile,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BAA3FA NtReadFile,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BAA34A NtCreateFile,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BAA47A NtClose,
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BAA52A NtAllocateVirtualMemory,
        Source: Ziraat Bankasi Swift Mesaji.exeBinary or memory string: OriginalFilename vs Ziraat Bankasi Swift Mesaji.exe
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.408614251.0000000003316000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCerbera.dll" vs Ziraat Bankasi Swift Mesaji.exe
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000000.359661923.0000000000EB2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCallingConvent.exe" vs Ziraat Bankasi Swift Mesaji.exe
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.414265819.0000000007B70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs Ziraat Bankasi Swift Mesaji.exe
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs Ziraat Bankasi Swift Mesaji.exe
        Source: Ziraat Bankasi Swift Mesaji.exeBinary or memory string: OriginalFilename vs Ziraat Bankasi Swift Mesaji.exe
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.511820567.0000000001549000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs Ziraat Bankasi Swift Mesaji.exe
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000000.401671865.0000000000D72000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCallingConvent.exe" vs Ziraat Bankasi Swift Mesaji.exe
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000003.406994742.000000000190D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ziraat Bankasi Swift Mesaji.exe
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.511857898.0000000001570000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs Ziraat Bankasi Swift Mesaji.exe
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000003.404655843.000000000175D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ziraat Bankasi Swift Mesaji.exe
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.513084585.0000000001A9F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ziraat Bankasi Swift Mesaji.exe
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.513713382.0000000001C2F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ziraat Bankasi Swift Mesaji.exe
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.512487847.0000000001905000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs Ziraat Bankasi Swift Mesaji.exe
        Source: Ziraat Bankasi Swift Mesaji.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: Ziraat Bankasi Swift Mesaji.exeReversingLabs: Detection: 21%
        Source: Ziraat Bankasi Swift Mesaji.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
        Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\explorer.exe explorer.exe
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
        Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
        Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ziraat Bankasi Swift Mesaji.exe.logJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@2/0
        Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
        Source: Ziraat Bankasi Swift Mesaji.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_01
        Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\explorer.exe
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: Ziraat Bankasi Swift Mesaji.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: Ziraat Bankasi Swift Mesaji.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Ziraat Bankasi Swift Mesaji.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: control.pdb source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.512357918.0000000001900000.00000040.10000000.00040000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.511820567.0000000001549000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdbUGP source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000003.406485483.00000000017EE000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.513084585.0000000001A9F000.00000040.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.512556950.0000000001980000.00000040.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000003.404458480.0000000001647000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000003.512780050.0000000004C95000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000002.644924217.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000002.665198804.0000000004F4F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000003.510727580.0000000004AF3000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000003.406485483.00000000017EE000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.513084585.0000000001A9F000.00000040.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.512556950.0000000001980000.00000040.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000003.404458480.0000000001647000.00000004.00000800.00020000.00000000.sdmp, control.exe, control.exe, 0000000B.00000003.512780050.0000000004C95000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000002.644924217.0000000004E30000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000002.665198804.0000000004F4F000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000000B.00000003.510727580.0000000004AF3000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\FRJeWenFHc\src\obj\x86\Debug\CallingConvent.pdb source: Ziraat Bankasi Swift Mesaji.exe, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000000.401671865.0000000000D72000.00000002.00000001.01000000.00000003.sdmp, control.exe, 0000000B.00000002.666266960.000000000535F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000015.00000000.615015403.00000000069EF000.00000004.80000000.00040000.00000000.sdmp
        Source: Binary string: control.pdbUGP source: Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.512357918.0000000001900000.00000040.10000000.00040000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000002.511820567.0000000001549000.00000004.00000020.00020000.00000000.sdmp
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 0_2_0322E2DB push 0000005Dh; retn 0004h
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_004168D9 push edx; ret
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_004171C1 push esi; iretd
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_004169B5 push esi; iretd
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_0041EA1A push 00000052h; ret
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_0041DBCA push dword ptr [56144B31h]; ret
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_00417C4D push ds; retf
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_0041D4F2 push eax; ret
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_0041D4FB push eax; ret
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_0041D4A5 push eax; ret
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_0041BCAE push ebx; retf
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_0041D55C push eax; ret
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_00409D2C push edi; iretd
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_00416598 push ds; iretd
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04EAD0D1 push ecx; ret
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BA68D9 push edx; ret
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BA69B5 push esi; iretd
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BA71C1 push esi; iretd
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BAEA1A push 00000052h; ret
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BADBCA push dword ptr [56144B31h]; ret
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BABCAE push ebx; retf
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BAD4A5 push eax; ret
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BAD4FB push eax; ret
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BAD4F2 push eax; ret
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BA7C4D push ds; retf
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BA6598 push ds; iretd
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00B99D2C push edi; iretd
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_00BAD55C push eax; ret
        Source: initial sampleStatic PE information: section name: .text entropy: 7.74275900541

        Hooking and other Techniques for Hiding and Protection

        barindex
        Self deletion via cmd or bat file
        Source: C:\Windows\SysWOW64\control.exeProcess created: /c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
        Source: C:\Windows\SysWOW64\control.exeProcess created: /c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Yara detected AntiVM3
        Source: Yara matchFile source: 00000000.00000002.409614207.00000000035C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.407668611.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Ziraat Bankasi Swift Mesaji.exe PID: 6344, type: MEMORYSTR
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.409614207.00000000035C7000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.407668611.0000000003251000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.409614207.00000000035C7000.00000004.00000800.00020000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.407668611.0000000003251000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
        Tries to detect virtualization through RDTSC time measurements
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 0000000000B99904 second address: 0000000000B9990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 0000000000B99B6E second address: 0000000000B99B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 6424Thread sleep time: -43731s >= -30000s
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe TID: 6180Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\explorer.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_00409AA0 rdtsc
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeThread delayed: delay time: 43731
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeThread delayed: delay time: 922337203685477
        Source: explorer.exe, 00000004.00000000.467434177.0000000006389000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
        Source: explorer.exe, 00000015.00000000.611695006.00000000060F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.407668611.0000000003251000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: explorer.exe, 00000004.00000000.472575552.0000000007C29000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
        Source: explorer.exe, 00000015.00000003.624832431.00000000061F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: explorer.exe, 00000004.00000000.472575552.0000000007C29000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: explorer.exe, 00000015.00000002.666439896.00000000061F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWte%SystemRoot%\system32\mswsock.dll6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.407668611.0000000003251000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
        Source: explorer.exe, 00000004.00000000.444306306.0000000004150000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}:
        Source: explorer.exe, 00000004.00000000.472575552.0000000007C29000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i&
        Source: explorer.exe, 00000004.00000000.472836099.0000000007D2A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
        Source: explorer.exe, 00000004.00000000.472575552.0000000007C29000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00Iy
        Source: explorer.exe, 00000015.00000000.605923799.0000000000A7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000c
        Source: explorer.exe, 00000015.00000000.605698579.0000000000A68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.{
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.407668611.0000000003251000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.414265819.0000000007B70000.00000004.08000000.00040000.00000000.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: xLfkRqemuCj72yuiGNb
        Source: explorer.exe, 00000004.00000000.426944558.0000000007DC1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
        Source: explorer.exe, 00000004.00000000.426543032.0000000007CC2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000v
        Source: Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.407668611.0000000003251000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_00409AA0 rdtsc
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\control.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F114FB mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04ED6CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04ED6CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04ED6CF0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F28CD6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04EEB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04EEB8D0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04EEB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04EEB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04EEB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04EEB8D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E990AF mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8F0BF mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8F0BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8F0BF mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E59080 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04ED3884 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04ED3884 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E6849B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F12073 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F21074 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E7746D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8A44B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E70050 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E70050 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04EEC450 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04EEC450 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8BC2C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8002D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E6B02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E6B02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E6B02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E6B02A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F24015 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F24015 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04ED6C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04ED6C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04ED6C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04ED6C0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F11C06 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04ED7016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04ED7016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04ED7016 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F2740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F2740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F2740D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F08DF1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E5B1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E5B1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E5B1E1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04EE41E8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E6D5E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E6D5E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E861A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E861A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E835A1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04ED69A6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04ED51BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04ED51BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04ED51BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04ED51BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E81DB5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E81DB5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E81DB5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E7C182 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E82581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E82581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E82581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E82581 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8A185 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E52D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E52D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E52D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E52D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E52D8A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8FD9B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8FD9B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E82990 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E5C962 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E7C577 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E7C577 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E5B171 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E5B171 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E7B944 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E7B944 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E93D43 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04ED3540 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E77D50 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F28D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E74120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E74120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E74120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E74120 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E74120 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8513A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8513A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E63D34 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E84D3B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E84D3B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E84D3B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E5AD30 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04EDA537 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E59100 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E59100 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E59100 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E676E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E816E0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E82AE4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E82ACB mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F28ED6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E836CC mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E98EC7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F0FEC0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E552A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E552A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E552A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E552A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E552A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04ED46A7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E6AAB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E6AAB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F20EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F20EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F20EA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8FAB0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04EEFE87 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8D294 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8D294 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E6766D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F0B260 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F0B260 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F28A62 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E9927A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E7AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E7AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E7AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E7AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E7AE73 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E59240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E59240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E59240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E59240 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E67E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E67E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E67E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E67E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E67E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E67E41 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04EE4257 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E5E620 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F0FE3F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E5C600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E5C600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E5C600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E88E00 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E68A0A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E5AA16 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E5AA16 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8A61C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8A61C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E73A1C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E803E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E803E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E803E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E803E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E803E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E803E2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E937F5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04ED53CA mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04ED53CA mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F25BA5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E61B8F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E61B8F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F0D380 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E68794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8B390 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04ED7794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04ED7794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04ED7794 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F1138A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E82397 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E5DB60 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E6FF60 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E83B7A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E83B7A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F28F6A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E5DB40 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E6EF40 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F28B58 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E5F358 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E54F2E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E54F2E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8E730 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8A70E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E8A70E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F1131B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04E7F716 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04EEFF10 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04EEFF10 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F2070D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeCode function: 11_2_04F2070D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess queried: DebugPort
        Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeCode function: 2_2_0040ACE0 LdrLoadDll,
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Sample uses process hollowing technique
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: DF0000
        Maps a DLL or memory area into another process
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
        Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
        Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
        Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
        Injects a PE file into a foreign processes
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeMemory written: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe base: 400000 value starts with: 4D5A
        Queues an APC in another process (thread injection)
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeThread APC queued: target process: C:\Windows\explorer.exe
        Modifies the context of a thread in another process (thread injection)
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeThread register set: target process: 3808
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeThread register set: target process: 3808
        Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 3808
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeProcess created: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
        Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
        Source: explorer.exe, 00000004.00000000.410648421.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.442349668.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.498725435.0000000000D00000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program ManagerG
        Source: explorer.exe, 00000015.00000002.630848927.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000000.605923799.0000000000A7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman.
        Source: explorer.exe, 00000004.00000000.410648421.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.442349668.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.426299406.0000000007C08000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
        Source: explorer.exe, 00000004.00000000.410648421.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.442349668.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.498725435.0000000000D00000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
        Source: explorer.exe, 00000004.00000000.410648421.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.442349668.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.498725435.0000000000D00000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
        Source: explorer.exe, 00000015.00000003.604906517.0000000004639000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000002.665124479.0000000004639000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000015.00000000.610052116.0000000004639000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd(T'
        Source: explorer.exe, 00000004.00000000.498187251.0000000000628000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.410150061.0000000000628000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.441801892.0000000000628000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanPV*
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44bbf10.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Ziraat Bankasi Swift Mesaji.exe.43221b0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.632202833.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.455844055.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.404005637.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.476604607.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.511417797.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.511211883.0000000001380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.633141128.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.634227955.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.510795876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

        Remote Access Functionality

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44bbf10.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Ziraat Bankasi Swift Mesaji.exe.44eb6c0.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Ziraat Bankasi Swift Mesaji.exe.43221b0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.632202833.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.455844055.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.404005637.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.476604607.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.511417797.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.511211883.0000000001380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.633141128.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.634227955.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.510795876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Shared Modules        		Path Interception512
        Process Injection        		1
        Masquerading        		OS Credential Dumping221
        Security Software Discovery        		Remote Services1
        Archive Collected Data        		Exfiltration Over Other Network Medium1
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Disable or Modify Tools        		LSASS Memory2
        Process Discovery        		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
        Non-Application Layer Protocol        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
        Virtualization/Sandbox Evasion        		Security Account Manager31
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration11
        Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)512
        Process Injection        		NTDS1
        File and Directory Discovery        		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        Deobfuscate/Decode Files or Information        		LSA Secrets112
        System Information Discovery        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common3
        Obfuscated Files or Information        		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items3
        Software Packing        		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
        File Deletion        		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 635281 Sample: Ziraat Bankasi Swift Mesaji.exe Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 31 www.wwohead.com 2->31 33 www.gabimejia.com 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 6 other signatures 2->41 11 Ziraat Bankasi Swift Mesaji.exe 3 2->11         started        signatures3 process4 file5 29 C:\...\Ziraat Bankasi Swift Mesaji.exe.log, ASCII 11->29 dropped 51 Injects a PE file into a foreign processes 11->51 15 Ziraat Bankasi Swift Mesaji.exe 11->15         started        signatures6 process7 signatures8 53 Modifies the context of a thread in another process (thread injection) 15->53 55 Maps a DLL or memory area into another process 15->55 57 Sample uses process hollowing technique 15->57 59 Queues an APC in another process (thread injection) 15->59 18 explorer.exe 15->18 injected process9 process10 20 control.exe 18->20         started        signatures11 43 Self deletion via cmd or bat file 20->43 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Maps a DLL or memory area into another process 20->47 49 Tries to detect virtualization through RDTSC time measurements 20->49 23 cmd.exe 1 20->23         started        25 explorer.exe 120 20->25         started        process12 process13 27 conhost.exe 23->27         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Ziraat Bankasi Swift Mesaji.exe22%ReversingLabsByteCode-MSIL.Spyware.Negasteal

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        2.0.Ziraat Bankasi Swift Mesaji.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
        2.0.Ziraat Bankasi Swift Mesaji.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
        2.0.Ziraat Bankasi Swift Mesaji.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
        2.2.Ziraat Bankasi Swift Mesaji.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

        Domains

        SourceDetectionScannerLabelLink
        dual-a-0001.dc-msedge.net0%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://www.gabimejia.com0%Avira URL Cloudsafe
        http://www.thesoupproject.netReferer:0%Avira URL Cloudsafe
        http://www.51cdfang.com/ah6m/www.theguaranteedadmissions.com0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.yuh-gal-p.xyzReferer:0%Avira URL Cloudsafe
        http://www.aerialdatainc.com/ah6m/www.planet-ideam.com0%Avira URL Cloudsafe
        www.wwohead.com/ah6m/100%Avira URL Cloudmalware
        http://www.glencoreprocurement.comReferer:0%Avira URL Cloudsafe
        http://www.xiaochunge.top/ah6m/0%Avira URL Cloudsafe
        http://www.alltinyildiz.com/ah6m/www.xiaochunge.top0%Avira URL Cloudsafe
        http://www.nontradebulkcement.online/ah6m/0%Avira URL Cloudsafe
        http://www.wwohead.comReferer:0%Avira URL Cloudsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.planet-ideam.com0%Avira URL Cloudsafe
        http://www.theguaranteedadmissions.comReferer:0%Avira URL Cloudsafe
        http://www.hummingbirdfeederhat.comReferer:0%Avira URL Cloudsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.alltinyildiz.com0%Avira URL Cloudsafe
        http://www.gabimejia.com/ah6m/www.wwohead.com0%Avira URL Cloudsafe
        http://www.planet-ideam.comReferer:0%Avira URL Cloudsafe
        http://www.aerialdatainc.com/ah6m/0%Avira URL Cloudsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.thesoupproject.net/ah6m/www.everythingmandab.com0%Avira URL Cloudsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.nontradebulkcement.onlineReferer:0%Avira URL Cloudsafe
        http://www.nontradebulkcement.online/ah6m/www.hummingbirdfeederhat.com0%Avira URL Cloudsafe
        http://www.wwohead.com0%Avira URL Cloudsafe
        http://www.everythingmandab.com/ah6m/0%Avira URL Cloudsafe
        http://www.nontradebulkcement.online0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.xiaochunge.topReferer:0%Avira URL Cloudsafe
        http://www.aerialdatainc.comReferer:0%Avira URL Cloudsafe
        http://www.planet-ideam.com/ah6m/www.glencoreprocurement.com0%Avira URL Cloudsafe
        http://www.wwohead.com/ah6m/100%Avira URL Cloudmalware
        http://www.planet-ideam.com/ah6m/0%Avira URL Cloudsafe
        http://www.theguaranteedadmissions.com/ah6m/www.aerialdatainc.com0%Avira URL Cloudsafe
        http://www.51cdfang.com0%Avira URL Cloudsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.alltinyildiz.com/ah6m/0%Avira URL Cloudsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.everythingmandab.comReferer:0%Avira URL Cloudsafe
        http://www.difan-mobile.com/ah6m/www.nontradebulkcement.online0%Avira URL Cloudsafe
        http://www.aerialdatainc.com0%Avira URL Cloudsafe
        http://ns.adobY0%URL Reputationsafe
        http://www.thesoupproject.net/ah6m/0%Avira URL Cloudsafe
        http://www.hummingbirdfeederhat.com/ah6m/0%Avira URL Cloudsafe
        http://www.wwohead.com/ah6m/www.51cdfang.com100%Avira URL Cloudmalware
        http://www.yuh-gal-p.xyz/ah6m/0%Avira URL Cloudsafe
        http://www.xiaochunge.top/ah6m/www.difan-mobile.com0%Avira URL Cloudsafe
        http://www.alltinyildiz.comReferer:0%Avira URL Cloudsafe
        http://www.difan-mobile.com/ah6m/0%Avira URL Cloudsafe
        http://www.gabimejia.com/ah6m/0%Avira URL Cloudsafe
        http://www.51cdfang.comReferer:0%Avira URL Cloudsafe
        http://www.glencoreprocurement.com/ah6m/www.thesoupproject.net0%Avira URL Cloudsafe
        http://www.yuh-gal-p.xyz0%Avira URL Cloudsafe
        http://www.difan-mobile.com0%Avira URL Cloudsafe
        http://www.glencoreprocurement.com/ah6m/0%Avira URL Cloudsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.everythingmandab.com/ah6m/www.stringm.com0%Avira URL Cloudsafe
        http://www.theguaranteedadmissions.com/ah6m/0%Avira URL Cloudsafe
        http://www.51cdfang.com/ah6m/0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.stringm.com/ah6m/100%Avira URL Cloudmalware
        http://www.hummingbirdfeederhat.com0%Avira URL Cloudsafe
        http://www.yuh-gal-p.xyz/ah6m/www.alltinyildiz.com0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.stringm.comReferer:0%Avira URL Cloudsafe
        http://www.difan-mobile.comReferer:0%Avira URL Cloudsafe
        http://www.theguaranteedadmissions.com0%Avira URL Cloudsafe
        http://www.gabimejia.comReferer:0%Avira URL Cloudsafe
        http://www.stringm.com/ah6m/www.yuh-gal-p.xyz100%Avira URL Cloudmalware
        http://www.everythingmandab.com0%Avira URL Cloudsafe
        http://www.stringm.com0%Avira URL Cloudsafe
        http://www.xiaochunge.top0%Avira URL Cloudsafe
        http://www.glencoreprocurement.com0%Avira URL Cloudsafe
        http://www.thesoupproject.net0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        dual-a-0001.dc-msedge.net
        		131.253.33.200
        		truefalseunknown
        www.gabimejia.com
        		104.140.60.254
        		truefalse
          		unknown
          www.wwohead.com
          		172.252.94.104
          		truetrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            www.wwohead.com/ah6m/true
            • Avira URL Cloud: malware
            		low

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.gabimejia.comexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.fontbureau.com/designersGZiraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.thesoupproject.netReferer:explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://github.com/dcoetzee/plants-vs-zombies-user-file-editorZiraat Bankasi Swift Mesaji.exe, 00000000.00000000.359661923.0000000000EB2000.00000002.00000001.01000000.00000003.sdmp, Ziraat Bankasi Swift Mesaji.exe, 00000002.00000000.401671865.0000000000D72000.00000002.00000001.01000000.00000003.sdmp, control.exe, 0000000B.00000002.666266960.000000000535F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000015.00000000.615015403.00000000069EF000.00000004.80000000.00040000.00000000.sdmpfalse
                		high
                http://www.51cdfang.com/ah6m/www.theguaranteedadmissions.comexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designers/?Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/bTheZiraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.yuh-gal-p.xyzReferer:explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.aerialdatainc.com/ah6m/www.planet-ideam.comexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designers?Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.glencoreprocurement.comReferer:explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.xiaochunge.top/ah6m/explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.comZiraat Bankasi Swift Mesaji.exefalse
                      		high
                      http://www.alltinyildiz.com/ah6m/www.xiaochunge.topexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.nontradebulkcement.online/ah6m/explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.wwohead.comReferer:explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.tiro.comZiraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.planet-ideam.comexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.theguaranteedadmissions.comReferer:explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.hummingbirdfeederhat.comReferer:explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designersZiraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.goodfont.co.krZiraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.alltinyildiz.comexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.gabimejia.com/ah6m/www.wwohead.comexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.planet-ideam.comReferer:explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.aerialdatainc.com/ah6m/explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.sajatypeworks.comZiraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.thesoupproject.net/ah6m/www.everythingmandab.comexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.typography.netDZiraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cn/cTheZiraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmZiraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://fontfabrik.comZiraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.nontradebulkcement.onlineReferer:explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.nontradebulkcement.online/ah6m/www.hummingbirdfeederhat.comexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.wwohead.comexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.everythingmandab.com/ah6m/explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.nontradebulkcement.onlineexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleaseZiraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.xiaochunge.topReferer:explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.aerialdatainc.comReferer:explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.planet-ideam.com/ah6m/www.glencoreprocurement.comexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.wwohead.com/ah6m/explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.planet-ideam.com/ah6m/explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.theguaranteedadmissions.com/ah6m/www.aerialdatainc.comexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.51cdfang.comexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fonts.comZiraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.sandoll.co.krZiraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.deDPleaseZiraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.alltinyildiz.com/ah6m/explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.zhongyicts.com.cnZiraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sakkal.comZiraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.everythingmandab.comReferer:explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.difan-mobile.com/ah6m/www.nontradebulkcement.onlineexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.comZiraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.aerialdatainc.comexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://ns.adobYexplorer.exe, 00000004.00000000.463834252.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.442686652.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.411056762.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.498956126.00000000026D0000.00000004.00000001.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.thesoupproject.net/ah6m/explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.hummingbirdfeederhat.com/ah6m/explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.wwohead.com/ah6m/www.51cdfang.comexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.yuh-gal-p.xyz/ah6m/explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.xiaochunge.top/ah6m/www.difan-mobile.comexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.alltinyildiz.comReferer:explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.difan-mobile.com/ah6m/explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.gabimejia.com/ah6m/explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.51cdfang.comReferer:explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.glencoreprocurement.com/ah6m/www.thesoupproject.netexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.yuh-gal-p.xyzexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.difan-mobile.comexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.glencoreprocurement.com/ah6m/explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.carterandcone.comlZiraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.everythingmandab.com/ah6m/www.stringm.comexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.theguaranteedadmissions.com/ah6m/explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.51cdfang.com/ah6m/explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers/cabarga.htmlNZiraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.founder.com.cn/cnZiraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-jones.htmlZiraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.stringm.com/ah6m/explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.hummingbirdfeederhat.comexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.yuh-gal-p.xyz/ah6m/www.alltinyildiz.comexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.stringm.comReferer:explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.difan-mobile.comReferer:explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.theguaranteedadmissions.comexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designers8Ziraat Bankasi Swift Mesaji.exe, 00000000.00000002.413299631.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.gabimejia.comReferer:explorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.stringm.com/ah6m/www.yuh-gal-p.xyzexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.everythingmandab.comexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.stringm.comexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.xiaochunge.topexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.glencoreprocurement.comexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.thesoupproject.netexplorer.exe, 00000015.00000002.669684800.0000000008A8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    No contacted IP infos

                                    General Information

                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                    Analysis ID:635281
                                    Start date and time: 27/05/202218:22:082022-05-27 18:22:08 +02:00
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 13m 29s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:Ziraat Bankasi Swift Mesaji.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:23
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:1
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@8/1@2/0
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HDC Information:
                                    • Successful, ratio: 60.9% (good quality ratio 54.3%)
                                    • Quality average: 69.5%
                                    • Quality standard deviation: 32.9%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Adjust boot time
                                    • Enable AMSI

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, SearchUI.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, ShellExperienceHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 20.54.89.106, 40.125.122.176, 52.152.110.14, 20.223.24.244
                                    • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, settings-win.data.microsoft.com, arc.msn.com, a-0001.a-afdentry.net.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    18:23:37API Interceptor2x Sleep call for process: Ziraat Bankasi Swift Mesaji.exe modified
                                    18:25:16API Interceptor44x Sleep call for process: explorer.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    No context

                                    ASNs

                                    No context

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ziraat Bankasi Swift Mesaji.exe.log

                                    Download File
                                    Process:C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1308
                                    Entropy (8bit):5.345811588615766
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                    MD5:2E016B886BDB8389D2DD0867BE55F87B
                                    SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                    SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                    SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                    Malicious:true
                                    Reputation:high, very likely benign file
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.744489165365895
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Windows Screen Saver (13104/52) 0.07%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    File name:Ziraat Bankasi Swift Mesaji.exe
                                    File size:716288
                                    MD5:d891e26c0707977398e963d6076eeae1
                                    SHA1:039457a2c4d73c24ef410a7665a04e9d456019e7
                                    SHA256:2979a77144d0df70f4dff084420d8e034eb6f751027fa44d158de924960f2a6a
                                    SHA512:f75a0274621ee095f30d01b83a0d07d02974e6876384f4a99d1d818862d09781e600352479fc845a7c3e2cd885ac344d58742dd9b44e322966d710a59188740b
                                    SSDEEP:12288:O092x9bHoAUOvqVpleUE0q8cf7qb4dHDn8LaRASedck6Q:nUfbHodlC0qj7qcdHDn8La+SCchQ
                                    TLSH:4EE4F10072F81B22E2BA67FE6578A18403B67D946520E34E5DC278DB3B71F918E45F1B
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....y.b..............0......Z........... ........@.. .......................@............@................................

                                    File Icon

                                    Icon Hash:4462f276dcec30e6

                                    Static PE Info

                                    General

                                    Entrypoint:0x4ab1da
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                    Time Stamp:0x629079C1 [Fri May 27 07:12:01 2022 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:v4.0.30319
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xab1880x4f.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000x57cc.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xb20000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xab0500x1c.text
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000xa91e00xa9200False0.860052025591data7.74275900541IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                    .rsrc0xac0000x57cc0x5800False0.964577414773data7.89168206066IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xb20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    RT_ICON0xac1000x51a3PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                    RT_GROUP_ICON0xb12b40x14data
                                    RT_VERSION0xb12d80x2f4data
                                    RT_MANIFEST0xb15dc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Version Infos

                                    DescriptionData
                                    Translation0x0000 0x04b0
                                    LegalCopyright
                                    Assembly Version1.0.0.0
                                    InternalNameCallingConvent.exe
                                    FileVersion1.0.0.0
                                    CompanyName
                                    LegalTrademarks
                                    Comments
                                    ProductName
                                    ProductVersion1.0.0.0
                                    FileDescription
                                    OriginalFilenameCallingConvent.exe

                                    Network Behavior

                                    Network Port Distribution

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    May 27, 2022 18:25:36.139713049 CEST6284353192.168.2.78.8.8.8
                                    May 27, 2022 18:25:36.309185982 CEST53628438.8.8.8192.168.2.7
                                    May 27, 2022 18:25:53.158830881 CEST4949553192.168.2.78.8.8.8
                                    May 27, 2022 18:25:53.581492901 CEST53494958.8.8.8192.168.2.7

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                    May 27, 2022 18:25:36.139713049 CEST192.168.2.78.8.8.80xd167Standard query (0)www.gabimejia.comA (IP address)IN (0x0001)
                                    May 27, 2022 18:25:53.158830881 CEST192.168.2.78.8.8.80x98d2Standard query (0)www.wwohead.comA (IP address)IN (0x0001)

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                    May 27, 2022 18:25:31.742157936 CEST8.8.8.8192.168.2.70x7a1cNo error (0)www-bing-com.dual-a-0001.a-msedge.netdual-a-0001.dc-msedge.netCNAME (Canonical name)IN (0x0001)
                                    May 27, 2022 18:25:31.742157936 CEST8.8.8.8192.168.2.70x7a1cNo error (0)dual-a-0001.dc-msedge.net131.253.33.200A (IP address)IN (0x0001)
                                    May 27, 2022 18:25:31.742157936 CEST8.8.8.8192.168.2.70x7a1cNo error (0)dual-a-0001.dc-msedge.net13.107.22.200A (IP address)IN (0x0001)
                                    May 27, 2022 18:25:36.309185982 CEST8.8.8.8192.168.2.70xd167No error (0)www.gabimejia.com104.140.60.254A (IP address)IN (0x0001)
                                    May 27, 2022 18:25:53.581492901 CEST8.8.8.8192.168.2.70x98d2No error (0)www.wwohead.com172.252.94.104A (IP address)IN (0x0001)

                                    Statistics

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:18:23:24
                                    Start date:27/05/2022
                                    Path:C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
                                    Imagebase:0xeb0000
                                    File size:716288 bytes
                                    MD5 hash:D891E26C0707977398E963D6076EEAE1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.409614207.00000000035C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.414265819.0000000007B70000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.409834205.0000000004322000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.407668611.0000000003251000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low

                                    General

                                    Target ID:2
                                    Start time:18:23:43
                                    Start date:27/05/2022
                                    Path:C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe
                                    Imagebase:0xd70000
                                    File size:716288 bytes
                                    MD5 hash:D891E26C0707977398E963D6076EEAE1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.403126818.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.404005637.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.404005637.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.404005637.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.511417797.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.511417797.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.511417797.00000000014C0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.511211883.0000000001380000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.511211883.0000000001380000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.511211883.0000000001380000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.510795876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.510795876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.510795876.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low

                                    General

                                    Target ID:4
                                    Start time:18:23:48
                                    Start date:27/05/2022
                                    Path:C:\Windows\explorer.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Explorer.EXE
                                    Imagebase:0x7ff631f70000
                                    File size:3933184 bytes
                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.455844055.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.455844055.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.455844055.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.476604607.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.476604607.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.476604607.000000000DE2E000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:high

                                    General

                                    Target ID:11
                                    Start time:18:24:30
                                    Start date:27/05/2022
                                    Path:C:\Windows\SysWOW64\control.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\control.exe
                                    Imagebase:0xdf0000
                                    File size:114688 bytes
                                    MD5 hash:40FBA3FBFD5E33E0DE1BA45472FDA66F
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.632202833.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.632202833.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.632202833.0000000000B90000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.633141128.0000000003390000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.633141128.0000000003390000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.633141128.0000000003390000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.634227955.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.634227955.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.634227955.0000000004AF0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:moderate

                                    General

                                    Target ID:12
                                    Start time:18:24:36
                                    Start date:27/05/2022
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:/c del "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.exe"
                                    Imagebase:0xdd0000
                                    File size:232960 bytes
                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:13
                                    Start time:18:24:38
                                    Start date:27/05/2022
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7bab80000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:21
                                    Start time:18:25:15
                                    Start date:27/05/2022
                                    Path:C:\Windows\explorer.exe
                                    Wow64 process (32bit):false
                                    Commandline:explorer.exe
                                    Imagebase:0x7ff631f70000
                                    File size:3933184 bytes
                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Disassembly

                                    No disassembly