Analysis Overview
SHA256
b3d5c049904ce10dd9ac4a72851aafda6d24e7603c3b1b60436ced92274434e2
Threat Level: Known bad
The file Ziraat Bankasi Swift Mesaji.pdf.exe was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Azorult
Reads user/profile data of web browsers
Checks QEMU agent file
Reads local data of messenger clients
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Accesses Microsoft Outlook profiles
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
outlook_win_path
Checks processor information in registry
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-19 16:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-19 16:18
Reported
2023-09-19 16:21
Platform
win7-20230831-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Guloader,Cloudeye
Checks QEMU agent file
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | N/A |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | N/A |
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2988 set thread context of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe |
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe"
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | agencypress.wpengine.com | udp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsy8FA4.tmp\BgImage.dll
| MD5 | 744f9c42403e9aabde8fc65d40bccd3e |
| SHA1 | 9ab49924ffa1560e5e3b70b097236a1451945829 |
| SHA256 | 8eb85584031b2e1d74daf372e60a72f767e8861db9d4ca2dc1981511f620e51e |
| SHA512 | 924cacc1d1dd5260b6adf081bf1bfc83edaf51546af7e2f644ab53152e25889552fc99c50ddc45dc1850d7c165877637df11cd35709a49d57e6201b6f4690244 |
\Users\Admin\AppData\Local\Temp\nsy8FA4.tmp\nsDialogs.dll
| MD5 | 0d45588070cf728359055f776af16ec4 |
| SHA1 | c4375ceb2883dee74632e81addbfa4e8b0c6d84a |
| SHA256 | 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a |
| SHA512 | 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415 |
C:\Users\Admin\AppData\Local\Temp\nsy8FA4.tmp\nsDialogs.dll
| MD5 | 0d45588070cf728359055f776af16ec4 |
| SHA1 | c4375ceb2883dee74632e81addbfa4e8b0c6d84a |
| SHA256 | 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a |
| SHA512 | 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415 |
\Users\Admin\AppData\Local\Temp\nsy8FA4.tmp\nsDialogs.dll
| MD5 | 0d45588070cf728359055f776af16ec4 |
| SHA1 | c4375ceb2883dee74632e81addbfa4e8b0c6d84a |
| SHA256 | 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a |
| SHA512 | 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415 |
\Users\Admin\AppData\Local\Temp\nsy8FA4.tmp\System.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
\Users\Admin\AppData\Local\Temp\nsy8FA4.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nsy8FA4.tmp\System.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
\Users\Admin\AppData\Local\Temp\nsy8FA4.tmp\System.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
\Users\Admin\AppData\Local\Temp\nsy8FA4.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nsy8FA4.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
\Users\Admin\AppData\Local\Temp\nsy8FA4.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
\Users\Admin\AppData\Local\Temp\nsy8FA4.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
\Users\Admin\AppData\Local\Temp\nsy8FA4.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\trykimprgneringerne.ini
| MD5 | c4829906d876f22ae69d5bdf4e401ae9 |
| SHA1 | 4be3cc23f889d83675eb8e412776f425df75ab81 |
| SHA256 | 91543ad310d29d76cf717afcf0fd1db03c798cabd5448940de84516352c5c7cb |
| SHA512 | 7788e3afabb9e85a1e0f71355535f7ef0694d1ab48a2c94e560671730e36703411532964bd490c0abb835a5f10cb7794ab51f4b162461d0428e6de2de4afae60 |
\Users\Admin\AppData\Local\Temp\nsy8FA4.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
memory/2988-59-0x0000000003840000-0x0000000005528000-memory.dmp
memory/2988-60-0x0000000003840000-0x0000000005528000-memory.dmp
memory/2988-61-0x0000000077970000-0x0000000077B19000-memory.dmp
memory/2988-62-0x0000000077B60000-0x0000000077C36000-memory.dmp
memory/2988-63-0x0000000001F10000-0x0000000001F16000-memory.dmp
memory/2504-64-0x0000000000470000-0x0000000002158000-memory.dmp
memory/2504-65-0x0000000077970000-0x0000000077B19000-memory.dmp
memory/2504-66-0x0000000000470000-0x0000000002158000-memory.dmp
memory/2504-67-0x0000000072FA0000-0x0000000074002000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabFF67.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\TarFFC7.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-19 16:18
Reported
2023-09-19 16:21
Platform
win10v2004-20230915-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Azorult
Guloader,Cloudeye
Checks QEMU agent file
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | N/A |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4372 set thread context of 316 | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4372 wrote to memory of 316 | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe |
| PID 4372 wrote to memory of 316 | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe |
| PID 4372 wrote to memory of 316 | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe |
| PID 4372 wrote to memory of 316 | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe |
| PID 4372 wrote to memory of 316 | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe"
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 316 -ip 316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 200
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | agencypress.wpengine.com | udp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.134.192.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hoswell.shop | udp |
| US | 188.114.97.0:80 | hoswell.shop | tcp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 188.114.97.0:80 | hoswell.shop | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsf611D.tmp\BgImage.dll
| MD5 | 744f9c42403e9aabde8fc65d40bccd3e |
| SHA1 | 9ab49924ffa1560e5e3b70b097236a1451945829 |
| SHA256 | 8eb85584031b2e1d74daf372e60a72f767e8861db9d4ca2dc1981511f620e51e |
| SHA512 | 924cacc1d1dd5260b6adf081bf1bfc83edaf51546af7e2f644ab53152e25889552fc99c50ddc45dc1850d7c165877637df11cd35709a49d57e6201b6f4690244 |
C:\Users\Admin\AppData\Local\Temp\nsf611D.tmp\nsDialogs.dll
| MD5 | 0d45588070cf728359055f776af16ec4 |
| SHA1 | c4375ceb2883dee74632e81addbfa4e8b0c6d84a |
| SHA256 | 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a |
| SHA512 | 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415 |
C:\Users\Admin\AppData\Local\Temp\nsf611D.tmp\nsDialogs.dll
| MD5 | 0d45588070cf728359055f776af16ec4 |
| SHA1 | c4375ceb2883dee74632e81addbfa4e8b0c6d84a |
| SHA256 | 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a |
| SHA512 | 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415 |
C:\Users\Admin\AppData\Local\Temp\nsf611D.tmp\nsDialogs.dll
| MD5 | 0d45588070cf728359055f776af16ec4 |
| SHA1 | c4375ceb2883dee74632e81addbfa4e8b0c6d84a |
| SHA256 | 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a |
| SHA512 | 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415 |
C:\Users\Admin\AppData\Local\Temp\nsf611D.tmp\nsDialogs.dll
| MD5 | 0d45588070cf728359055f776af16ec4 |
| SHA1 | c4375ceb2883dee74632e81addbfa4e8b0c6d84a |
| SHA256 | 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a |
| SHA512 | 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415 |
C:\Users\Admin\AppData\Local\Temp\nsf611D.tmp\nsDialogs.dll
| MD5 | 0d45588070cf728359055f776af16ec4 |
| SHA1 | c4375ceb2883dee74632e81addbfa4e8b0c6d84a |
| SHA256 | 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a |
| SHA512 | 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415 |
C:\Users\Admin\AppData\Local\Temp\nsf611D.tmp\System.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
C:\Users\Admin\AppData\Local\Temp\nsf611D.tmp\System.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
C:\Users\Admin\AppData\Local\Temp\nsf611D.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nsf611D.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nsf611D.tmp\System.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
C:\Users\Admin\AppData\Local\Temp\nsf611D.tmp\System.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
C:\Users\Admin\AppData\Local\Temp\nsf611D.tmp\System.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
C:\Users\Admin\AppData\Local\Temp\nsf611D.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nsf611D.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nsf611D.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nsf611D.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nsf611D.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nsf611D.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nsf611D.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nsf611D.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nsf611D.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\trykimprgneringerne.ini
| MD5 | c4829906d876f22ae69d5bdf4e401ae9 |
| SHA1 | 4be3cc23f889d83675eb8e412776f425df75ab81 |
| SHA256 | 91543ad310d29d76cf717afcf0fd1db03c798cabd5448940de84516352c5c7cb |
| SHA512 | 7788e3afabb9e85a1e0f71355535f7ef0694d1ab48a2c94e560671730e36703411532964bd490c0abb835a5f10cb7794ab51f4b162461d0428e6de2de4afae60 |
C:\Users\Admin\AppData\Local\Temp\nsf611D.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nsf611D.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
memory/4372-68-0x0000000004A20000-0x0000000006708000-memory.dmp
memory/4372-69-0x0000000004A20000-0x0000000006708000-memory.dmp
memory/4372-70-0x0000000077241000-0x0000000077361000-memory.dmp
memory/4372-71-0x0000000002550000-0x0000000002556000-memory.dmp
memory/316-72-0x0000000000470000-0x0000000002158000-memory.dmp
memory/316-73-0x00000000772C8000-0x00000000772C9000-memory.dmp
memory/316-74-0x0000000000470000-0x0000000002158000-memory.dmp
memory/316-75-0x00000000772E5000-0x00000000772E6000-memory.dmp
memory/316-76-0x0000000072B80000-0x0000000073DD4000-memory.dmp
memory/316-85-0x0000000072B80000-0x0000000073DD4000-memory.dmp
memory/316-86-0x0000000000470000-0x0000000002158000-memory.dmp
memory/316-87-0x0000000000060000-0x0000000000087000-memory.dmp
memory/316-88-0x0000000077241000-0x0000000077361000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\26F86CD1\nss3.dll
| MD5 | 556ea09421a0f74d31c4c0a89a70dc23 |
| SHA1 | f739ba9b548ee64b13eb434a3130406d23f836e3 |
| SHA256 | f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb |
| SHA512 | 2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2 |
C:\Users\Admin\AppData\Local\Temp\26F86CD1\vcruntime140.dll
| MD5 | 7587bf9cb4147022cd5681b015183046 |
| SHA1 | f2106306a8f6f0da5afb7fc765cfa0757ad5a628 |
| SHA256 | c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d |
| SHA512 | 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f |
C:\Users\Admin\AppData\Local\Temp\26F86CD1\mozglue.dll
| MD5 | 9e682f1eb98a9d41468fc3e50f907635 |
| SHA1 | 85e0ceca36f657ddf6547aa0744f0855a27527ee |
| SHA256 | 830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d |
| SHA512 | 230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed |
C:\Users\Admin\AppData\Local\Temp\26F86CD1\msvcp140.dll
| MD5 | 109f0f02fd37c84bfc7508d4227d7ed5 |
| SHA1 | ef7420141bb15ac334d3964082361a460bfdb975 |
| SHA256 | 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4 |
| SHA512 | 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39 |
memory/316-148-0x0000000072B80000-0x0000000073DD4000-memory.dmp
memory/316-199-0x0000000000470000-0x0000000002158000-memory.dmp
memory/316-200-0x0000000072B80000-0x0000000073DD4000-memory.dmp