Edit tour

Windows Analysis Report
#U00d6DEME DETAYLARI 170325.exe

Overview

General Information

Sample name:	#U00d6DEME DETAYLARI 170325.exe renamed because original name is a hash value
Original sample name:	DEME DETAYLARI 170325.exe
Analysis ID:	1640442
MD5:	acd4b8a4942027c60549e8adb8195727
SHA1:	b92a0256ced0778c1892e4f7457679e9dcf626db
SHA256:	4023f16ab570c96bbfc7d6c9685d137382c82029c15df71696acdc20023dd31b
Tags:	exeuser-lowmal3
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: CMSTP Execution Process Creation

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses a Windows Living Off The Land Binaries (LOL bins)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

#U00d6DEME DETAYLARI 170325.exe (PID: 7948 cmdline: "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe" MD5: ACD4B8A4942027C60549E8ADB8195727)

powershell.exe (PID: 6748 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

#U00d6DEME DETAYLARI 170325.exe (PID: 5456 cmdline: "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe" MD5: ACD4B8A4942027C60549E8ADB8195727)

explorer.exe (PID: 3084 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

cmstp.exe (PID: 772 cmdline: "C:\Windows\SysWOW64\cmstp.exe" MD5: D7AABFAB5BEFD53BA3A27BD48F3CC675)

cmd.exe (PID: 7984 cmdline: /c del "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rg-txtagstorefrontfze.world/bs03/"], "decoy": ["aindirectiveteam.info", "itchen-remodeling-up.world", "avadacasino21.buzz", "urumsbicard.net", "ental-care-2762127.fyi", "raveline.tech", "camtech.online", "leartec.health", "odkacasino-333.buzz", "oans-credits-73480.bond", "ubstrate360.xyz", "dalang.click", "on66my.xyz", "elegilgh.run", "wlf.dev", "ex-in-wien.net", "riminal-mischief.cfd", "0ns.pro", "klopcy.xyz", "ssetexcelstrongmanageroot.xyz", "leganttreasuresboutique.info", "ohnmcafee.xyz", "usshelter.net", "abianice-warszawska.online", "ituttotienda.online", "antoorschoonmaak-1628796.world", "olourg.irish", "ouseofisra-el.net", "umidifier-74367.bond", "nagapa.irish", "piccomms.net", "swift.xyz", "g100.beauty", "rooutfits.net", "oworking-space-1.live", "oughstorememorial.lifestyle", "assaumergerfunds.info", "urkish-hair-268864660.click", "udes-kitchen.net", "idscomefirst.online", "lowavenue.info", "ijn-websupport.sbs", "58bet.website", "sa-store.online", "epemog.online", "77hashrate.xyz", "yvalikdigital.online", "elegelhg.qpon", "ielosanantonio.online", "motrim.click", "oodwin-law.cfd", "enseitool.xyz", "romptsdesigns.xyz", "lomail.sbs", "ucien.world", "nipsvuesandbox.studio", "erspirexbrasil.online", "atinafyava.shop", "avenspar.xyz", "cyma98.sbs", "ealmsec.info", "23t.xyz", "nfmod.net", "eleghegl.xyz"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.2553090331.0000000004560000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.2553090331.0000000004560000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.2553090331.0000000004560000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.2553090331.0000000004560000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.2553090331.0000000004560000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.2551980400.0000000000820000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.2551980400.0000000000820000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.2551980400.0000000000820000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.2551980400.0000000000820000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.2551980400.0000000000820000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.1382937942.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.1382937942.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.1382937942.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000009.00000002.1382937942.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.1382937942.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.2552999766.0000000004530000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.2552999766.0000000004530000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.2552999766.0000000004530000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.2552999766.0000000004530000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.2552999766.0000000004530000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.1315912461.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.1315912461.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1315912461.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x82351:$a1: 3C 30 50 4F 53 54 74 09 40 0xb0771:$a1: 3C 30 50 4F 53 54 74 09 40 0xddb91:$a1: 3C 30 50 4F 53 54 74 09 40 0x98c80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xc70a0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xf44c0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x86abf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xb4edf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xe22ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x919a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xbfdc7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xed1e7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.1315912461.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85a08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x85c72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb3e28:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb4092:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xe1248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xe14b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x917a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xbfbc5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xecfe5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x91291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xbf6b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xecad1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x918a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xbfcc7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xed0e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x91a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xbfe3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xed25f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8668a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xb4aaa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xe1eca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000003.00000002.1315912461.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x94909:$sqlite3step: 68 34 1C 7B E1 0x94a1c:$sqlite3step: 68 34 1C 7B E1 0xc2d29:$sqlite3step: 68 34 1C 7B E1 0xc2e3c:$sqlite3step: 68 34 1C 7B E1 0xf0149:$sqlite3step: 68 34 1C 7B E1 0xf025c:$sqlite3step: 68 34 1C 7B E1 0x94938:$sqlite3text: 68 38 2A 90 C5 0x94a5d:$sqlite3text: 68 38 2A 90 C5 0xc2d58:$sqlite3text: 68 38 2A 90 C5 0xc2e7d:$sqlite3text: 68 38 2A 90 C5 0xf0178:$sqlite3text: 68 38 2A 90 C5 0xf029d:$sqlite3text: 68 38 2A 90 C5 0x9494b:$sqlite3blob: 68 53 D8 7F 8C 0x94a73:$sqlite3blob: 68 53 D8 7F 8C 0xc2d6b:$sqlite3blob: 68 53 D8 7F 8C 0xc2e93:$sqlite3blob: 68 53 D8 7F 8C 0xf018b:$sqlite3blob: 68 53 D8 7F 8C 0xf02b3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: #U00d6DEME DETAYLARI 170325.exe PID: 7948	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: #U00d6DEME DETAYLARI 170325.exe PID: 7948	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6755c:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: #U00d6DEME DETAYLARI 170325.exe PID: 5456	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7034b:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: cmstp.exe PID: 772	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x429ed:$a1: 3C 30 50 4F 53 54 74 09 40 0x8b915:$a1: 3C 30 50 4F 53 54 74 09 40 0x19b928:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aae7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1baea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: CMSTP Execution Process Creation

Source: Process started

Author: Nik Seetharaman: Data: Command: /c del "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe", CommandLine: /c del "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\cmstp.exe", ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 772, ParentProcessName: cmstp.exe, ProcessCommandLine: /c del "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe", ProcessId: 7984, ProcessName: cmd.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe", ParentImage: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe, ParentProcessId: 7948, ParentProcessName: #U00d6DEME DETAYLARI 170325.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe", ProcessId: 6748, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe", ParentImage: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe, ParentProcessId: 7948, ParentProcessName: #U00d6DEME DETAYLARI 170325.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe", ProcessId: 6748, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-17T10:38:09.293469+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.5	49733	13.248.169.48	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000B.00000002.2553090331.0000000004560000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.rg-txtagstorefrontfze.world/bs03/"], "decoy": ["aindirectiveteam.info", "itchen-remodeling-up.world", "avadacasino21.buzz", "urumsbicard.net", "ental-care-2762127.fyi", "raveline.tech", "camtech.online", "leartec.health", "odkacasino-333.buzz", "oans-credits-73480.bond", "ubstrate360.xyz", "dalang.click", "on66my.xyz", "elegilgh.run", "wlf.dev", "ex-in-wien.net", "riminal-mischief.cfd", "0ns.pro", "klopcy.xyz", "ssetexcelstrongmanageroot.xyz", "leganttreasuresboutique.info", "ohnmcafee.xyz", "usshelter.net", "abianice-warszawska.online", "ituttotienda.online", "antoorschoonmaak-1628796.world", "olourg.irish", "ouseofisra-el.net", "umidifier-74367.bond", "nagapa.irish", "piccomms.net", "swift.xyz", "g100.beauty", "rooutfits.net", "oworking-space-1.live", "oughstorememorial.lifestyle", "assaumergerfunds.info", "urkish-hair-268864660.click", "udes-kitchen.net", "idscomefirst.online", "lowavenue.info", "ijn-websupport.sbs", "58bet.website", "sa-store.online", "epemog.online", "77hashrate.xyz", "yvalikdigital.online", "elegelhg.qpon", "ielosanantonio.online", "motrim.click", "oodwin-law.cfd", "enseitool.xyz", "romptsdesigns.xyz", "lomail.sbs", "ucien.world", "nipsvuesandbox.studio", "erspirexbrasil.online", "atinafyava.shop", "avenspar.xyz", "cyma98.sbs", "ealmsec.info", "23t.xyz", "nfmod.net", "eleghegl.xyz"]}

Yara detected FormBook

Source: Yara match	File source: 9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2553090331.0000000004560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2551980400.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1382937942.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2552999766.0000000004530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1315912461.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: #U00d6DEME DETAYLARI 170325.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: #U00d6DEME DETAYLARI 170325.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: eRpW.pdb source: #U00d6DEME DETAYLARI 170325.exe
Source:	Binary string: cmstp.pdbGCTL source: #U00d6DEME DETAYLARI 170325.exe, 00000009.00000002.1387901442.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, #U00d6DEME DETAYLARI 170325.exe, 00000009.00000002.1385090492.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000B.00000002.2552543639.0000000000B70000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: #U00d6DEME DETAYLARI 170325.exe, 00000009.00000002.1387947767.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000B.00000003.1383808563.000000000437C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000B.00000003.1388283213.0000000004527000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000B.00000002.2553417532.000000000486E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000B.00000002.2553417532.00000000046D0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: #U00d6DEME DETAYLARI 170325.exe, #U00d6DEME DETAYLARI 170325.exe, 00000009.00000002.1387947767.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 0000000B.00000003.1383808563.000000000437C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000B.00000003.1388283213.0000000004527000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000B.00000002.2553417532.000000000486E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000B.00000002.2553417532.00000000046D0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: #U00d6DEME DETAYLARI 170325.exe, 00000009.00000002.1387901442.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, #U00d6DEME DETAYLARI 170325.exe, 00000009.00000002.1385090492.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 0000000B.00000002.2552543639.0000000000B70000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: eRpW.pdbSHA256;;Z source: #U00d6DEME DETAYLARI 170325.exe

Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_00B7B3C4 memset,GetPrivateProfileStringW,FindFirstFileW,memset,FindNextFileW,		11_2_00B7B3C4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_00B7894B memset,memset,memset,SHGetFolderPathW,memset,SHGetFolderPathW,CmFree,memset,FindFirstFileW,GetLastError,memset,memset,FindNextFileW,FindClose,		11_2_00B7894B

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 4x nop then pop ebx	9_2_00407B1A
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 4x nop then pop edi	9_2_00416CA5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop ebx	11_2_00827B1B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop edi	11_2_00836CA5

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49733 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49733 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49733 -> 13.248.169.48:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 13.248.169.48 80

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.rg-txtagstorefrontfze.world/bs03/

Source: global traffic

HTTP traffic detected: GET /bs03/?AdsxA2G=Yg/si+zA8frR8XW7Cf3Z2S3dOnCB1IEkUFHX2PQk8Cg0pSfA0QI6WJxLkijYrYR8qX2Y&1bV=WXr8JfXxOD HTTP/1.1Host: www.camtech.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 13.248.169.48 13.248.169.48

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 10_2_0AB83F82 getaddrinfo,setsockopt,recv,

10_2_0AB83F82

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: www.rg-txtagstorefrontfze.world
Source: global traffic	DNS traffic detected: DNS query: www.riminal-mischief.cfd
Source: global traffic	DNS traffic detected: DNS query: www.epemog.online
Source: global traffic	DNS traffic detected: DNS query: www.abianice-warszawska.online
Source: global traffic	DNS traffic detected: DNS query: www.camtech.online

Source: explorer.exe, 0000000A.00000002.2558052578.000000000976E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1324844652.000000000976E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1324844652.0000000009716000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: explorer.exe, 0000000A.00000002.2558052578.000000000976E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1324844652.000000000976E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1324844652.0000000009716000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 0000000A.00000002.2558052578.000000000976E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1324844652.000000000976E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1324844652.0000000009716000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000000A.00000000.1324844652.0000000009759000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2558052578.0000000009759000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlx#
Source: explorer.exe, 0000000A.00000002.2557508420.0000000008770000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.2556853036.0000000007A60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1322931544.00000000082E0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: #U00d6DEME DETAYLARI 170325.exe, 00000003.00000002.1314350925.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.58bet.website
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.58bet.website/bs03/
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.58bet.website/bs03/www.oughstorememorial.lifestyle
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.58bet.websiteReferer:
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.abianice-warszawska.online
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.abianice-warszawska.online/bs03/
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.abianice-warszawska.online/bs03/www.camtech.online
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.abianice-warszawska.onlineReferer:
Source: explorer.exe, 0000000A.00000002.2555653709.0000000007215000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1319193716.0000000007218000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2555653709.0000000007218000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.avenspar.xyz
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.avenspar.xyz/bs03/
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.avenspar.xyz/bs03/www.58bet.website
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.avenspar.xyzReferer:
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.camtech.online
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.camtech.online/bs03/
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.camtech.online/bs03/www.udes-kitchen.net
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.camtech.onlineReferer:
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.epemog.online
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.epemog.online/bs03/
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.epemog.online/bs03/www.abianice-warszawska.online
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.epemog.onlineReferer:
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.klopcy.xyz
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.klopcy.xyz/bs03/
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.klopcy.xyz/bs03/www.ssetexcelstrongmanageroot.xyz
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.klopcy.xyzReferer:
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nipsvuesandbox.studio
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nipsvuesandbox.studio/bs03/
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nipsvuesandbox.studio/bs03/www.klopcy.xyz
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nipsvuesandbox.studioReferer:
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oughstorememorial.lifestyle
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oughstorememorial.lifestyle/bs03/
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oughstorememorial.lifestyle/bs03/www.umidifier-74367.bond
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oughstorememorial.lifestyleReferer:
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rg-txtagstorefrontfze.world
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rg-txtagstorefrontfze.world/bs03/
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rg-txtagstorefrontfze.world/bs03/www.riminal-mischief.cfd
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rg-txtagstorefrontfze.worldReferer:
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.riminal-mischief.cfd
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.riminal-mischief.cfd/bs03/
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.riminal-mischief.cfd/bs03/www.epemog.online
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.riminal-mischief.cfdReferer:
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rooutfits.net
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rooutfits.net/bs03/
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rooutfits.net/bs03/www.avenspar.xyz
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rooutfits.netReferer:
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ssetexcelstrongmanageroot.xyz
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ssetexcelstrongmanageroot.xyz/bs03/
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ssetexcelstrongmanageroot.xyz/bs03/www.rooutfits.net
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ssetexcelstrongmanageroot.xyzReferer:
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ucien.world
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ucien.world/bs03/
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ucien.world/bs03/pdf
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ucien.worldReferer:
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.udes-kitchen.net
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.udes-kitchen.net/bs03/
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.udes-kitchen.net/bs03/www.nipsvuesandbox.studio
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.udes-kitchen.netReferer:
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.umidifier-74367.bond
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.umidifier-74367.bond/bs03/
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.umidifier-74367.bond/bs03/www.yvalikdigital.online
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.umidifier-74367.bondReferer:
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yvalikdigital.online
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yvalikdigital.online/bs03/
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yvalikdigital.online/bs03/www.ucien.world
Source: explorer.exe, 0000000A.00000002.2564685992.000000000D811000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yvalikdigital.onlineReferer:
Source: explorer.exe, 0000000A.00000002.2563220193.000000000D348000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1328228362.000000000D348000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppve
Source: explorer.exe, 0000000A.00000002.2563220193.000000000D348000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1328228362.000000000D348000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000A.00000002.2563220193.000000000D348000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1328228362.000000000D348000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSs
Source: explorer.exe, 0000000A.00000002.2558052578.0000000009604000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1324844652.0000000009604000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000A.00000000.1319193716.0000000007165000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2555653709.0000000007165000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000A.00000002.2555653709.000000000725E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1319193716.000000000725E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comys
Source: explorer.exe, 0000000A.00000002.2563220193.000000000D348000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1328228362.000000000D348000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 0000000A.00000002.2563220193.000000000D348000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1328228362.000000000D348000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000000A.00000002.2563220193.000000000D348000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1328228362.000000000D348000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEM
Source: explorer.exe, 0000000A.00000002.2563220193.000000000D44A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1328228362.000000000D44A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/$
Source: explorer.exe, 0000000A.00000002.2563220193.000000000D348000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1328228362.000000000D348000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2553090331.0000000004560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2551980400.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1382937942.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2552999766.0000000004530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1315912461.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2553090331.0000000004560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2553090331.0000000004560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.2553090331.0000000004560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2551980400.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2551980400.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.2551980400.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.1382937942.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.1382937942.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.1382937942.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2552999766.0000000004530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2552999766.0000000004530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.2552999766.0000000004530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.1315912461.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.1315912461.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.1315912461.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: #U00d6DEME DETAYLARI 170325.exe PID: 7948, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: #U00d6DEME DETAYLARI 170325.exe PID: 5456, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmstp.exe PID: 772, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0041A320 NtCreateFile,	9_2_0041A320
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0041A3D0 NtReadFile,	9_2_0041A3D0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0041A450 NtClose,	9_2_0041A450
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0041A500 NtAllocateVirtualMemory,	9_2_0041A500
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0041A31A NtCreateFile,	9_2_0041A31A
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0041A3CA NtReadFile,	9_2_0041A3CA
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0041A44B NtClose,	9_2_0041A44B
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0041A4FA NtAllocateVirtualMemory,	9_2_0041A4FA
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012B60 NtClose,LdrInitializeThunk,	9_2_01012B60
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_01012BF0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012AD0 NtReadFile,LdrInitializeThunk,	9_2_01012AD0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012D10 NtMapViewOfSection,LdrInitializeThunk,	9_2_01012D10
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012D30 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_01012D30
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012DD0 NtDelayExecution,LdrInitializeThunk,	9_2_01012DD0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_01012DF0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_01012C70
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012CA0 NtQueryInformationToken,LdrInitializeThunk,	9_2_01012CA0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012F30 NtCreateSection,LdrInitializeThunk,	9_2_01012F30
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012F90 NtProtectVirtualMemory,LdrInitializeThunk,	9_2_01012F90
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012FB0 NtResumeThread,LdrInitializeThunk,	9_2_01012FB0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012FE0 NtCreateFile,LdrInitializeThunk,	9_2_01012FE0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012E80 NtReadVirtualMemory,LdrInitializeThunk,	9_2_01012E80
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_01012EA0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01014340 NtSetContextThread,	9_2_01014340
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01014650 NtSuspendThread,	9_2_01014650
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012B80 NtQueryInformationFile,	9_2_01012B80
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012BA0 NtEnumerateValueKey,	9_2_01012BA0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012BE0 NtQueryValueKey,	9_2_01012BE0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012AB0 NtWaitForSingleObject,	9_2_01012AB0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012AF0 NtWriteFile,	9_2_01012AF0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012D00 NtSetInformationFile,	9_2_01012D00
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012DB0 NtEnumerateKey,	9_2_01012DB0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012C00 NtQueryInformationProcess,	9_2_01012C00
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012C60 NtCreateKey,	9_2_01012C60
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012CC0 NtQueryVirtualMemory,	9_2_01012CC0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012CF0 NtOpenProcess,	9_2_01012CF0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012F60 NtCreateProcessEx,	9_2_01012F60
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012FA0 NtQuerySection,	9_2_01012FA0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012E30 NtWriteVirtualMemory,	9_2_01012E30
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012EE0 NtQueueApcThread,	9_2_01012EE0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01013010 NtOpenDirectoryObject,	9_2_01013010
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01013090 NtSetValueKey,	9_2_01013090
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010135C0 NtCreateMutant,	9_2_010135C0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010139B0 NtGetContextThread,	9_2_010139B0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01013D10 NtOpenProcessToken,	9_2_01013D10
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01013D70 NtOpenThread,	9_2_01013D70
Source: C:\Windows\explorer.exe	Code function: 10_2_0AB83232 NtCreateFile,	10_2_0AB83232
Source: C:\Windows\explorer.exe	Code function: 10_2_0AB84E12 NtProtectVirtualMemory,	10_2_0AB84E12
Source: C:\Windows\explorer.exe	Code function: 10_2_0AB84E0A NtProtectVirtualMemory,	10_2_0AB84E0A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742C70 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_04742C70
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742C60 NtCreateKey,LdrInitializeThunk,	11_2_04742C60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742CA0 NtQueryInformationToken,LdrInitializeThunk,	11_2_04742CA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742D10 NtMapViewOfSection,LdrInitializeThunk,	11_2_04742D10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742DF0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_04742DF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742DD0 NtDelayExecution,LdrInitializeThunk,	11_2_04742DD0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	11_2_04742EA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742F30 NtCreateSection,LdrInitializeThunk,	11_2_04742F30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742FE0 NtCreateFile,LdrInitializeThunk,	11_2_04742FE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742AD0 NtReadFile,LdrInitializeThunk,	11_2_04742AD0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742B60 NtClose,LdrInitializeThunk,	11_2_04742B60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_04742BF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742BE0 NtQueryValueKey,LdrInitializeThunk,	11_2_04742BE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047435C0 NtCreateMutant,LdrInitializeThunk,	11_2_047435C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04744650 NtSuspendThread,	11_2_04744650
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04744340 NtSetContextThread,	11_2_04744340
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742C00 NtQueryInformationProcess,	11_2_04742C00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742CF0 NtOpenProcess,	11_2_04742CF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742CC0 NtQueryVirtualMemory,	11_2_04742CC0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742D30 NtUnmapViewOfSection,	11_2_04742D30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742D00 NtSetInformationFile,	11_2_04742D00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742DB0 NtEnumerateKey,	11_2_04742DB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742E30 NtWriteVirtualMemory,	11_2_04742E30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742EE0 NtQueueApcThread,	11_2_04742EE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742E80 NtReadVirtualMemory,	11_2_04742E80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742F60 NtCreateProcessEx,	11_2_04742F60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742FB0 NtResumeThread,	11_2_04742FB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742FA0 NtQuerySection,	11_2_04742FA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742F90 NtProtectVirtualMemory,	11_2_04742F90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742AF0 NtWriteFile,	11_2_04742AF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742AB0 NtWaitForSingleObject,	11_2_04742AB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742BA0 NtEnumerateValueKey,	11_2_04742BA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04742B80 NtQueryInformationFile,	11_2_04742B80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04743010 NtOpenDirectoryObject,	11_2_04743010
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04743090 NtSetValueKey,	11_2_04743090
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04743D70 NtOpenThread,	11_2_04743D70
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04743D10 NtOpenProcessToken,	11_2_04743D10
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047439B0 NtGetContextThread,	11_2_047439B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0083A3D0 NtReadFile,	11_2_0083A3D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0083A320 NtCreateFile,	11_2_0083A320
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0083A450 NtClose,	11_2_0083A450
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0083A500 NtAllocateVirtualMemory,	11_2_0083A500
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0083A3CA NtReadFile,	11_2_0083A3CA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0083A31A NtCreateFile,	11_2_0083A31A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0083A4FA NtAllocateVirtualMemory,	11_2_0083A4FA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0083A44B NtClose,	11_2_0083A44B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0463A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	11_2_0463A036
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04639BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	11_2_04639BAF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0463A042 NtQueryInformationProcess,	11_2_0463A042
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04639BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	11_2_04639BB2

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 3_2_01063E40	3_2_01063E40
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 3_2_01066F92	3_2_01066F92
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 3_2_0106D87C	3_2_0106D87C
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 3_2_075404A8	3_2_075404A8
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 3_2_075499DD	3_2_075499DD
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 3_2_0754B500	3_2_0754B500
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 3_2_07543432	3_2_07543432
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 3_2_07545078	3_2_07545078
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 3_2_07545068	3_2_07545068
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 3_2_07543008	3_2_07543008
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 3_2_07545950	3_2_07545950
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 3_2_07543878	3_2_07543878
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00401030	9_2_00401030
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0041D8C4	9_2_0041D8C4
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0041E215	9_2_0041E215
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0041E2FB	9_2_0041E2FB
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0041E38E	9_2_0041E38E
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0041D563	9_2_0041D563
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0041EDEA	9_2_0041EDEA
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0041DD84	9_2_0041DD84
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00402D88	9_2_00402D88
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00402D90	9_2_00402D90
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00409E4B	9_2_00409E4B
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00409E50	9_2_00409E50
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0041DFE4	9_2_0041DFE4
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00402FB0	9_2_00402FB0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107A118	9_2_0107A118
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01068158	9_2_01068158
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010A01AA	9_2_010A01AA
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010981CC	9_2_010981CC
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01072000	9_2_01072000
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD0100	9_2_00FD0100
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0109A352	9_2_0109A352
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010A03E6	9_2_010A03E6
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FEE3F0	9_2_00FEE3F0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01080274	9_2_01080274
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010602C0	9_2_010602C0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010A0591	9_2_010A0591
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01084420	9_2_01084420
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01092446	9_2_01092446
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0535	9_2_00FE0535
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0108E4F6	9_2_0108E4F6
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFC6E0	9_2_00FFC6E0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01004750	9_2_01004750
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDC7C0	9_2_00FDC7C0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0770	9_2_00FE0770
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FC68B8	9_2_00FC68B8
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010AA9A6	9_2_010AA9A6
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE2840	9_2_00FE2840
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FEA840	9_2_00FEA840
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE29A0	9_2_00FE29A0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF6962	9_2_00FF6962
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100E8F0	9_2_0100E8F0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0109AB40	9_2_0109AB40
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDEA80	9_2_00FDEA80
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01096BD7	9_2_01096BD7
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD0CF2	9_2_00FD0CF2
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107CD1F	9_2_0107CD1F
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0C00	9_2_00FE0C00
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDADE0	9_2_00FDADE0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF8DBF	9_2_00FF8DBF
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01080CB5	9_2_01080CB5
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FEAD00	9_2_00FEAD00
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01022F28	9_2_01022F28
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01000F30	9_2_01000F30
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01082F30	9_2_01082F30
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01054F40	9_2_01054F40
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF2E90	9_2_00FF2E90
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105EFA0	9_2_0105EFA0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0E59	9_2_00FE0E59
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FECFE0	9_2_00FECFE0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0109EE26	9_2_0109EE26
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD2FC8	9_2_00FD2FC8
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0109CE93	9_2_0109CE93
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0109EEDB	9_2_0109EEDB
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE70C0	9_2_00FE70C0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010AB16B	9_2_010AB16B
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0101516C	9_2_0101516C
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FEB1B0	9_2_00FEB1B0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FCF172	9_2_00FCF172
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0108F0CC	9_2_0108F0CC
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010970E9	9_2_010970E9
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0109F0E0	9_2_0109F0E0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0109132D	9_2_0109132D
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFB2C0	9_2_00FFB2C0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE52A0	9_2_00FE52A0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0102739A	9_2_0102739A
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FCD34C	9_2_00FCD34C
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010812ED	9_2_010812ED
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01097571	9_2_01097571
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD1460	9_2_00FD1460
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107D5B0	9_2_0107D5B0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0109F43F	9_2_0109F43F
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0109F7B0	9_2_0109F7B0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010916CC	9_2_010916CC
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01075910	9_2_01075910
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE38E0	9_2_00FE38E0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104D800	9_2_0104D800
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE9950	9_2_00FE9950
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFB950	9_2_00FFB950
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0109FB76	9_2_0109FB76
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01055BF0	9_2_01055BF0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0101DBF9	9_2_0101DBF9
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0109FA49	9_2_0109FA49
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01097A46	9_2_01097A46
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01053A6C	9_2_01053A6C
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFFB80	9_2_00FFFB80
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01025AA0	9_2_01025AA0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107DAAC	9_2_0107DAAC
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01081AA3	9_2_01081AA3
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0108DAC6	9_2_0108DAC6
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01091D5A	9_2_01091D5A
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01097D73	9_2_01097D73
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01059C32	9_2_01059C32
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFFDC0	9_2_00FFFDC0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE3D40	9_2_00FE3D40
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0109FCF2	9_2_0109FCF2
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0109FF09	9_2_0109FF09
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE9EB0	9_2_00FE9EB0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0109FFB1	9_2_0109FFB1
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE1F92	9_2_00FE1F92
Source: C:\Windows\explorer.exe	Code function: 10_2_0AB83232	10_2_0AB83232
Source: C:\Windows\explorer.exe	Code function: 10_2_0AB79082	10_2_0AB79082
Source: C:\Windows\explorer.exe	Code function: 10_2_0AB82036	10_2_0AB82036
Source: C:\Windows\explorer.exe	Code function: 10_2_0AB865CD	10_2_0AB865CD
Source: C:\Windows\explorer.exe	Code function: 10_2_0AB7DB32	10_2_0AB7DB32
Source: C:\Windows\explorer.exe	Code function: 10_2_0AB7DB30	10_2_0AB7DB30
Source: C:\Windows\explorer.exe	Code function: 10_2_0AB80912	10_2_0AB80912
Source: C:\Windows\explorer.exe	Code function: 10_2_0AB7AD02	10_2_0AB7AD02
Source: C:\Windows\explorer.exe	Code function: 10_2_1047D036	10_2_1047D036
Source: C:\Windows\explorer.exe	Code function: 10_2_10474082	10_2_10474082
Source: C:\Windows\explorer.exe	Code function: 10_2_10475D02	10_2_10475D02
Source: C:\Windows\explorer.exe	Code function: 10_2_1047B912	10_2_1047B912
Source: C:\Windows\explorer.exe	Code function: 10_2_104815CD	10_2_104815CD
Source: C:\Windows\explorer.exe	Code function: 10_2_1047E232	10_2_1047E232
Source: C:\Windows\explorer.exe	Code function: 10_2_10478B32	10_2_10478B32
Source: C:\Windows\explorer.exe	Code function: 10_2_10478B30	10_2_10478B30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_00B7B634	11_2_00B7B634
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047C2446	11_2_047C2446
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047B4420	11_2_047B4420
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047BE4F6	11_2_047BE4F6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04710535	11_2_04710535
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047D0591	11_2_047D0591
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0472C6E0	11_2_0472C6E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04710770	11_2_04710770
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04734750	11_2_04734750
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0470C7C0	11_2_0470C7C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047A2000	11_2_047A2000
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04798158	11_2_04798158
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047AA118	11_2_047AA118
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04700100	11_2_04700100
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047C81CC	11_2_047C81CC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047D01AA	11_2_047D01AA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047C41A2	11_2_047C41A2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047B0274	11_2_047B0274
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047902C0	11_2_047902C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047CA352	11_2_047CA352
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0471E3F0	11_2_0471E3F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047D03E6	11_2_047D03E6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04710C00	11_2_04710C00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04700CF2	11_2_04700CF2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047B0CB5	11_2_047B0CB5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047ACD1F	11_2_047ACD1F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0471AD00	11_2_0471AD00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0470ADE0	11_2_0470ADE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04728DBF	11_2_04728DBF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04710E59	11_2_04710E59
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047CEE26	11_2_047CEE26
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047CEEDB	11_2_047CEEDB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04722E90	11_2_04722E90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047CCE93	11_2_047CCE93
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04784F40	11_2_04784F40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04730F30	11_2_04730F30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047B2F30	11_2_047B2F30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04752F28	11_2_04752F28
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0471CFE0	11_2_0471CFE0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04702FC8	11_2_04702FC8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0478EFA0	11_2_0478EFA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0471A840	11_2_0471A840
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04712840	11_2_04712840
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0473E8F0	11_2_0473E8F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_046F68B8	11_2_046F68B8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04726962	11_2_04726962
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047129A0	11_2_047129A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047DA9A6	11_2_047DA9A6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0470EA80	11_2_0470EA80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047CAB40	11_2_047CAB40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047C6BD7	11_2_047C6BD7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04701460	11_2_04701460
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047CF43F	11_2_047CF43F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047C7571	11_2_047C7571
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047D95C3	11_2_047D95C3
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047AD5B0	11_2_047AD5B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04755630	11_2_04755630
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047C16CC	11_2_047C16CC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047CF7B0	11_2_047CF7B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047C70E9	11_2_047C70E9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047CF0E0	11_2_047CF0E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047170C0	11_2_047170C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047BF0CC	11_2_047BF0CC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047DB16B	11_2_047DB16B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0474516C	11_2_0474516C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_046FF172	11_2_046FF172
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0471B1B0	11_2_0471B1B0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047B12ED	11_2_047B12ED
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0472B2C0	11_2_0472B2C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047152A0	11_2_047152A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_046FD34C	11_2_046FD34C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047C132D	11_2_047C132D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0475739A	11_2_0475739A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04789C32	11_2_04789C32
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047CFCF2	11_2_047CFCF2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047C7D73	11_2_047C7D73
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047C1D5A	11_2_047C1D5A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04713D40	11_2_04713D40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0472FDC0	11_2_0472FDC0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04719EB0	11_2_04719EB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047CFF09	11_2_047CFF09
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047CFFB1	11_2_047CFFB1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04711F92	11_2_04711F92
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0477D800	11_2_0477D800
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047138E0	11_2_047138E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04719950	11_2_04719950
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0472B950	11_2_0472B950
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047A5910	11_2_047A5910
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04783A6C	11_2_04783A6C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047CFA49	11_2_047CFA49
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047C7A46	11_2_047C7A46
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047BDAC6	11_2_047BDAC6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04755AA0	11_2_04755AA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047ADAAC	11_2_047ADAAC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047B1AA3	11_2_047B1AA3
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047CFB76	11_2_047CFB76
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04785BF0	11_2_04785BF0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0474DBF9	11_2_0474DBF9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0472FB80	11_2_0472FB80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0083E2FB	11_2_0083E2FB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0083E38E	11_2_0083E38E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0083D563	11_2_0083D563
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0083D8C4	11_2_0083D8C4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0083DD84	11_2_0083DD84
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_00822D88	11_2_00822D88
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_00822D90	11_2_00822D90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_00829E4B	11_2_00829E4B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_00829E50	11_2_00829E50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_00822FB0	11_2_00822FB0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0463A036	11_2_0463A036
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04632D02	11_2_04632D02
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0463E5CD	11_2_0463E5CD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04631082	11_2_04631082
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04638912	11_2_04638912
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0463B232	11_2_0463B232
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04635B32	11_2_04635B32
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_04635B30	11_2_04635B30

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: String function: 00FCB970 appears 280 times
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: String function: 0104EA12 appears 86 times
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: String function: 01015130 appears 58 times
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: String function: 01027E54 appears 102 times
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: String function: 0105F290 appears 105 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 0478F290 appears 105 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 04757E54 appears 111 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 046FB970 appears 280 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 0477EA12 appears 86 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 04745130 appears 58 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 00B7E951 appears 100 times

Source: #U00d6DEME DETAYLARI 170325.exe, 00000003.00000002.1314350925.0000000002B55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs #U00d6DEME DETAYLARI 170325.exe
Source: #U00d6DEME DETAYLARI 170325.exe, 00000003.00000000.1272245590.000000000071C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameeRpW.exe> vs #U00d6DEME DETAYLARI 170325.exe
Source: #U00d6DEME DETAYLARI 170325.exe, 00000003.00000002.1318729470.00000000056C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs #U00d6DEME DETAYLARI 170325.exe
Source: #U00d6DEME DETAYLARI 170325.exe, 00000003.00000002.1314350925.0000000002A65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs #U00d6DEME DETAYLARI 170325.exe
Source: #U00d6DEME DETAYLARI 170325.exe, 00000003.00000002.1320464898.0000000007A70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs #U00d6DEME DETAYLARI 170325.exe
Source: #U00d6DEME DETAYLARI 170325.exe, 00000003.00000002.1305433507.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs #U00d6DEME DETAYLARI 170325.exe
Source: #U00d6DEME DETAYLARI 170325.exe, 00000003.00000002.1315912461.0000000003A59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs #U00d6DEME DETAYLARI 170325.exe
Source: #U00d6DEME DETAYLARI 170325.exe, 00000009.00000002.1387901442.0000000000F50000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCMSTP.EXE` vs #U00d6DEME DETAYLARI 170325.exe
Source: #U00d6DEME DETAYLARI 170325.exe, 00000009.00000002.1385090492.0000000000B47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCMSTP.EXE` vs #U00d6DEME DETAYLARI 170325.exe
Source: #U00d6DEME DETAYLARI 170325.exe, 00000009.00000002.1387947767.00000000010CD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs #U00d6DEME DETAYLARI 170325.exe
Source: #U00d6DEME DETAYLARI 170325.exe	Binary or memory string: OriginalFilenameeRpW.exe> vs #U00d6DEME DETAYLARI 170325.exe

Source: #U00d6DEME DETAYLARI 170325.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"			Jump to behavior

Source: 9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2553090331.0000000004560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2553090331.0000000004560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.2553090331.0000000004560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2551980400.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2551980400.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.2551980400.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.1382937942.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.1382937942.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.1382937942.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2552999766.0000000004530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2552999766.0000000004530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.2552999766.0000000004530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.1315912461.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.1315912461.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.1315912461.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: #U00d6DEME DETAYLARI 170325.exe PID: 7948, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: #U00d6DEME DETAYLARI 170325.exe PID: 5456, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmstp.exe PID: 772, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: #U00d6DEME DETAYLARI 170325.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, tD4qspbKx1BYOSnDvw.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, tD4qspbKx1BYOSnDvw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, tD4qspbKx1BYOSnDvw.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, UEvnE91ajng9iinvJL.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, UEvnE91ajng9iinvJL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, UEvnE91ajng9iinvJL.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, UEvnE91ajng9iinvJL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, tD4qspbKx1BYOSnDvw.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, tD4qspbKx1BYOSnDvw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, tD4qspbKx1BYOSnDvw.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, UEvnE91ajng9iinvJL.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, UEvnE91ajng9iinvJL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, tD4qspbKx1BYOSnDvw.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, tD4qspbKx1BYOSnDvw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, tD4qspbKx1BYOSnDvw.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/6@5/1

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: 11_2_00B78F05 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,InitiateSystemShutdownW,AdjustTokenPrivileges,CloseHandle,

11_2_00B78F05

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#U00d6DEME DETAYLARI 170325.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1224:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6744:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dlswdwvg.joq.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\cmstp.exe

Command line argument: kernel32.dll

11_2_00B76052

Source: #U00d6DEME DETAYLARI 170325.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: #U00d6DEME DETAYLARI 170325.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: cmstp.exe

String found in binary or memory: /k certutil.exe -f -enterprise -v -addstore Root "%s"

Source: unknown	Process created: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe"
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process created: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe"	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process created: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe"	Jump to behavior

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscinterop.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: werconcpl.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: hcproviders.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: #U00d6DEME DETAYLARI 170325.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: #U00d6DEME DETAYLARI 170325.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: #U00d6DEME DETAYLARI 170325.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: eRpW.pdb source: #U00d6DEME DETAYLARI 170325.exe
Source:	Binary string: cmstp.pdbGCTL source: #U00d6DEME DETAYLARI 170325.exe, 00000009.00000002.1387901442.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, #U00d6DEME DETAYLARI 170325.exe, 00000009.00000002.1385090492.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000B.00000002.2552543639.0000000000B70000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: #U00d6DEME DETAYLARI 170325.exe, 00000009.00000002.1387947767.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000B.00000003.1383808563.000000000437C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000B.00000003.1388283213.0000000004527000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000B.00000002.2553417532.000000000486E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000B.00000002.2553417532.00000000046D0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: #U00d6DEME DETAYLARI 170325.exe, #U00d6DEME DETAYLARI 170325.exe, 00000009.00000002.1387947767.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 0000000B.00000003.1383808563.000000000437C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000B.00000003.1388283213.0000000004527000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000B.00000002.2553417532.000000000486E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000B.00000002.2553417532.00000000046D0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: #U00d6DEME DETAYLARI 170325.exe, 00000009.00000002.1387901442.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, #U00d6DEME DETAYLARI 170325.exe, 00000009.00000002.1385090492.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 0000000B.00000002.2552543639.0000000000B70000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: eRpW.pdbSHA256;;Z source: #U00d6DEME DETAYLARI 170325.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, tD4qspbKx1BYOSnDvw.cs	.Net Code: pUdPktAWaQ System.Reflection.Assembly.Load(byte[])
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, tD4qspbKx1BYOSnDvw.cs	.Net Code: pUdPktAWaQ System.Reflection.Assembly.Load(byte[])
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, tD4qspbKx1BYOSnDvw.cs	.Net Code: pUdPktAWaQ System.Reflection.Assembly.Load(byte[])

Source: #U00d6DEME DETAYLARI 170325.exe

Static PE information: 0xCC750808 [Mon Sep 12 15:23:52 2078 UTC]

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 3_2_0106E610 push eax; retf	3_2_0106E631
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 3_2_0106EE80 pushfd ; iretd	3_2_0106EE81
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 3_2_01065DFF pushfd ; iretd	3_2_01065E29
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 3_2_07546C7E push eax; iretd	3_2_07546C7F
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 3_2_07546AD8 push eax; iretd	3_2_07546AD9
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_004061E4 push ss; iretd	9_2_004061E8
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0041D475 push eax; ret	9_2_0041D4C8
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0041D4C2 push eax; ret	9_2_0041D4C8
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0041D4CB push eax; ret	9_2_0041D532
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0041D52C push eax; ret	9_2_0041D532
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0041DD84 push ecx; ret	9_2_0041DFE3
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD09AD push ecx; mov dword ptr [esp], ecx	9_2_00FD09B6
Source: C:\Windows\explorer.exe	Code function: 10_2_0AB89024 push edx; iretd	10_2_0AB89025
Source: C:\Windows\explorer.exe	Code function: 10_2_0AB869B5 push esp; retn 0000h	10_2_0AB86AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_0AB86B1E push esp; retn 0000h	10_2_0AB86B1F
Source: C:\Windows\explorer.exe	Code function: 10_2_0AB86B02 push esp; retn 0000h	10_2_0AB86B03
Source: C:\Windows\explorer.exe	Code function: 10_2_10484024 push edx; iretd	10_2_10484025
Source: C:\Windows\explorer.exe	Code function: 10_2_104819B5 push esp; retn 0000h	10_2_10481AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_10481B02 push esp; retn 0000h	10_2_10481B03
Source: C:\Windows\explorer.exe	Code function: 10_2_10481B1E push esp; retn 0000h	10_2_10481B1F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_00B81A3D push ecx; ret	11_2_00B81A50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_046D27FA pushad ; ret	11_2_046D27F9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_046D225F pushad ; ret	11_2_046D27F9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_046D283D push eax; iretd	11_2_046D2858
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_047009AD push ecx; mov dword ptr [esp], ecx	11_2_047009B6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_046D135F push eax; iretd	11_2_046D1369
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0083F0B2 push ss; retf	11_2_0083F0B4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_008261E4 push ss; iretd	11_2_008261E8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0083E2B6 push edi; iretd	11_2_0083E2B8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0083D4C2 push eax; ret	11_2_0083D4C8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_0083D4CB push eax; ret	11_2_0083D532

Source: #U00d6DEME DETAYLARI 170325.exe

Static PE information: section name: .text entropy: 7.720092212232572

Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, MgRD5F0CSR3ChxmGPw.cs	High entropy of concatenated method names: 'pXQCJ6sg3L', 'JaOC7FBSut', 'a5hC1W9o6Y', 'S1EC04KjHh', 'iOGCIv8CDf', 'wnpCZgdFEt', 'WlFCpOO03c', 'EXZCU00cJU', 'xkLCcPQsut', 'anECOVj7j2'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, VNGmxyFSPOIO6PDsEQ.cs	High entropy of concatenated method names: 'u7JaoKseGd', 'mh0aCqwIRq', 'IgcarhPoxV', 'kJHrVhYDrQ', 'iSPrzFoBX0', 'eZvaYInTPK', 'Ptja3oQIjL', 'HOuaK4gTjY', 'cS9adSdMxB', 'r3BaPBDh2e'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, NSMLfC3PbG5twsnDMiK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HtngcoLhNc', 'JypgOgBc6V', 'DPqgepuArh', 'nOngghxSOu', 'CGjgSFIfRH', 'jDrgwiEEG1', 'oO7gvLlpav'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, tnvY0WKeW50lbO7QYX.cs	High entropy of concatenated method names: 'vfpk55ywS', 'JZpJ3y8n3', 'pnR7AGEK5', 'uPHsj6iUj', 'e8b0tcSgE', 'odfLwriSJ', 'i8PTHeeKixEch18y9x', 'RG5cRSkACes2kwcYhU', 'UVpUZlu91', 'x1kOJOYId'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, kTLO5sDbvsBSoTU9PN.cs	High entropy of concatenated method names: 'D61u1qNsV1', 'rCfu0VQFCV', 'lRcuQH5jIQ', 'cqdunrBf6X', 'eIkuX0eMs2', 'HMtuyBcP9s', 'O9XuFNhjTb', 'j6kuqrEYb5', 'wP5umHVKYh', 'pTvuHAJpfs'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, KSotuf33PGlfx7u0ED4.cs	High entropy of concatenated method names: 'CVIOVnGy72', 'WPOOzdKyyD', 'OXQeYWOE3N', 'm4Je3nR6JZ', 'syMeKTi7NA', 'db6edgwPOm', 'qFtePk6MVw', 'gKWelB0iQ2', 'QDneop3TNv', 'tEMeWO45eU'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, R9i4nCByS3qm1rI8IG.cs	High entropy of concatenated method names: 'NfZImlDS3j', 'KukI6WijUD', 'eU8IBaGhos', 'kBvI9WfRAi', 'qGqInLgJtR', 'mu1IfKZbmE', 'IFoIXFJ5KT', 'OscIyBHbNb', 'y0XIErG5vc', 't4ZIFQpE1b'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, UEvnE91ajng9iinvJL.cs	High entropy of concatenated method names: 'CgvWBxEyqw', 'MZ4W9M5w0v', 't0tWMnPGpP', 'xGJW8yHVRG', 'bwuWGqx7Td', 'bSCWAosnoX', 'OaoWR80liR', 'LyVWxreI0w', 'j3GWj7s8Pc', 'IylWVRtT9y'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, qPs3SdLurDE863qElv.cs	High entropy of concatenated method names: 'fI6iNITxDp', 'MbsisH3oVR', 'NyfCf3Kp4Z', 'd2gCXTUT8I', 'GcrCyWXnXp', 'm5SCEvJjdv', 'RvnCFO8Oqe', 'peoCqY607d', 'ETpChEq9Lo', 'Vv0CmG9Sha'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, lkM18OzYtoGT30nYvi.cs	High entropy of concatenated method names: 'TaRO7fpNxb', 'PksO1XsYAi', 'iiVO0hHZF2', 'nemOQIfoTa', 'xDOOnoCC10', 'VkSOXfDR16', 'IEsOyCm7sp', 'uAMOvkAcRk', 'w7KO2twMHJ', 'lwuO4RpZxE'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, tD4qspbKx1BYOSnDvw.cs	High entropy of concatenated method names: 'IRydlKkT20', 'WapdoWGkJv', 'xsqdWKT68a', 'qPLdCESZDJ', 'kYgdirWFgi', 'qo9drJK5eq', 'GZqdaKdBP9', 'wMddbv12aM', 'VkMdThxbcF', 'Pr0d5df9Jm'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, wTs4ZY8xu9yN6pANh7.cs	High entropy of concatenated method names: 'jPIp5h57VK', 'O6MptMXBAB', 'ToString', 'SJWpotwUKO', 'fvEpWmILKy', 'oiYpCIIBaP', 'GKRpiHIHdy', 'RZ1pr2yXYS', 'GL3parQcNO', 'T3ZpbgFvhR'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, gflhaORAA5y44kWvck.cs	High entropy of concatenated method names: 'A77cIK8iFQ', 'ktCcpolGtx', 'AiEccYPYwj', 'JuKceHdosm', 'QVmcSbAZ91', 'MducvQLNjP', 'Dispose', 'PAgUoCltC7', 'WXIUWaGkSH', 'xCUUCfGQnq'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, MB4KMJjykqUcLubKUk.cs	High entropy of concatenated method names: 'cVqcQbsJPM', 'OJScnanYaP', 'UBjcf85peG', 'G1McXObuMS', 'A1YcyKfLYE', 'UglcE2LBXd', 'pGVcFES8FC', 'O8ecqBoDTm', 'cPIchXWHES', 'FUYcmSHvqv'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, v64tpLhy33mL61UaAI.cs	High entropy of concatenated method names: 'iOya2dTpGU', 'vxJa4RloBd', 'vlpakAfWhI', 'YAdaJNh3W7', 'b9TaNJAXd3', 'IJUa7XIxo1', 'LmLas6hlP1', 'C9ea1L39cV', 'zvQa0ur3ZD', 'b0jaL426C7'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, PQ53gJWVd8IddGLpP8.cs	High entropy of concatenated method names: 'Dispose', 'ly43j4kWvc', 'JwbKnXPP4g', 'sMEbQJmEeX', 'zKY3V7X5Rq', 'eMD3zXsXBC', 'ProcessDialogKey', 'sbqKYB4KMJ', 'JkqK3UcLub', 'cUkKKRO210'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, irmIlg3YOoHouGGUlE5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AweOHTLD0Q', 'cGMO6QM7jk', 'lwdODjNgFv', 'ejhOBRKarT', 'qGtO9y9v51', 'oU7OMYsaOn', 'Gb4O8cU1qQ'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, C2B16ZAhZUhg5yRmrT.cs	High entropy of concatenated method names: 'bZ1pxhhNWT', 'CFypVUnHXU', 'Ge2UYBng3L', 'w4ZU3Y77Pi', 'AKmpHRp5Ut', 'DYEp6547jc', 'yFlpDAle87', 'kmkpB189Lt', 'eB7p9svVsy', 'xD6pMS97yS'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, rN64bOPEf9Hkr01Xum.cs	High entropy of concatenated method names: 'zGG3aEvnE9', 'jjn3bg9iin', 'LCS35R3Chx', 'NGP3twUPs3', 'bqE3IlvoIm', 'sKU3ZYiIJP', 'adxdvKcCPVNySLBrNK', 'c0XFLuhMCnouVtknOa', 'K4k33Xdmh4', 'Q9K3d6qpsp'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, fImcKUQYiIJP9FaN7S.cs	High entropy of concatenated method names: 'A9ZrlXsdM1', 'k2frWTRcJ4', 'T5ori19IDv', 'rvNraisHjR', 'uD7rb5UU5h', 'oxjiGjafJ0', 'KhTiAXPS8E', 'heoiRIm6X2', 'N3YixDYQw6', 'INOijlon98'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, WO210CVWKX4sdAkO93.cs	High entropy of concatenated method names: 'bYROC524wX', 'RENOiQZepX', 'BSqOrC24Ld', 'vXwOabsTkb', 'LwxOcsl1EA', 'vcROb4cdNx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3c35f10.2.raw.unpack, SeYS0t3dd3TbwZJiPBF.cs	High entropy of concatenated method names: 'KjGeVmgVUN', 'Oq2ezeXEhK', 'UregYk0uGc', 'TZPpDOnzXUp9p0NoZbo', 'EmiNaJvUcma1Qp5nZBA', 'FkQ7DqvRv7jvAHG928W', 'GaCMbHvFhaIqwggMC5G', 'CfhhUGvaalyqV7fumI2'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, MgRD5F0CSR3ChxmGPw.cs	High entropy of concatenated method names: 'pXQCJ6sg3L', 'JaOC7FBSut', 'a5hC1W9o6Y', 'S1EC04KjHh', 'iOGCIv8CDf', 'wnpCZgdFEt', 'WlFCpOO03c', 'EXZCU00cJU', 'xkLCcPQsut', 'anECOVj7j2'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, VNGmxyFSPOIO6PDsEQ.cs	High entropy of concatenated method names: 'u7JaoKseGd', 'mh0aCqwIRq', 'IgcarhPoxV', 'kJHrVhYDrQ', 'iSPrzFoBX0', 'eZvaYInTPK', 'Ptja3oQIjL', 'HOuaK4gTjY', 'cS9adSdMxB', 'r3BaPBDh2e'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, NSMLfC3PbG5twsnDMiK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HtngcoLhNc', 'JypgOgBc6V', 'DPqgepuArh', 'nOngghxSOu', 'CGjgSFIfRH', 'jDrgwiEEG1', 'oO7gvLlpav'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, tnvY0WKeW50lbO7QYX.cs	High entropy of concatenated method names: 'vfpk55ywS', 'JZpJ3y8n3', 'pnR7AGEK5', 'uPHsj6iUj', 'e8b0tcSgE', 'odfLwriSJ', 'i8PTHeeKixEch18y9x', 'RG5cRSkACes2kwcYhU', 'UVpUZlu91', 'x1kOJOYId'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, kTLO5sDbvsBSoTU9PN.cs	High entropy of concatenated method names: 'D61u1qNsV1', 'rCfu0VQFCV', 'lRcuQH5jIQ', 'cqdunrBf6X', 'eIkuX0eMs2', 'HMtuyBcP9s', 'O9XuFNhjTb', 'j6kuqrEYb5', 'wP5umHVKYh', 'pTvuHAJpfs'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, KSotuf33PGlfx7u0ED4.cs	High entropy of concatenated method names: 'CVIOVnGy72', 'WPOOzdKyyD', 'OXQeYWOE3N', 'm4Je3nR6JZ', 'syMeKTi7NA', 'db6edgwPOm', 'qFtePk6MVw', 'gKWelB0iQ2', 'QDneop3TNv', 'tEMeWO45eU'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, R9i4nCByS3qm1rI8IG.cs	High entropy of concatenated method names: 'NfZImlDS3j', 'KukI6WijUD', 'eU8IBaGhos', 'kBvI9WfRAi', 'qGqInLgJtR', 'mu1IfKZbmE', 'IFoIXFJ5KT', 'OscIyBHbNb', 'y0XIErG5vc', 't4ZIFQpE1b'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, UEvnE91ajng9iinvJL.cs	High entropy of concatenated method names: 'CgvWBxEyqw', 'MZ4W9M5w0v', 't0tWMnPGpP', 'xGJW8yHVRG', 'bwuWGqx7Td', 'bSCWAosnoX', 'OaoWR80liR', 'LyVWxreI0w', 'j3GWj7s8Pc', 'IylWVRtT9y'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, qPs3SdLurDE863qElv.cs	High entropy of concatenated method names: 'fI6iNITxDp', 'MbsisH3oVR', 'NyfCf3Kp4Z', 'd2gCXTUT8I', 'GcrCyWXnXp', 'm5SCEvJjdv', 'RvnCFO8Oqe', 'peoCqY607d', 'ETpChEq9Lo', 'Vv0CmG9Sha'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, lkM18OzYtoGT30nYvi.cs	High entropy of concatenated method names: 'TaRO7fpNxb', 'PksO1XsYAi', 'iiVO0hHZF2', 'nemOQIfoTa', 'xDOOnoCC10', 'VkSOXfDR16', 'IEsOyCm7sp', 'uAMOvkAcRk', 'w7KO2twMHJ', 'lwuO4RpZxE'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, tD4qspbKx1BYOSnDvw.cs	High entropy of concatenated method names: 'IRydlKkT20', 'WapdoWGkJv', 'xsqdWKT68a', 'qPLdCESZDJ', 'kYgdirWFgi', 'qo9drJK5eq', 'GZqdaKdBP9', 'wMddbv12aM', 'VkMdThxbcF', 'Pr0d5df9Jm'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, wTs4ZY8xu9yN6pANh7.cs	High entropy of concatenated method names: 'jPIp5h57VK', 'O6MptMXBAB', 'ToString', 'SJWpotwUKO', 'fvEpWmILKy', 'oiYpCIIBaP', 'GKRpiHIHdy', 'RZ1pr2yXYS', 'GL3parQcNO', 'T3ZpbgFvhR'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, gflhaORAA5y44kWvck.cs	High entropy of concatenated method names: 'A77cIK8iFQ', 'ktCcpolGtx', 'AiEccYPYwj', 'JuKceHdosm', 'QVmcSbAZ91', 'MducvQLNjP', 'Dispose', 'PAgUoCltC7', 'WXIUWaGkSH', 'xCUUCfGQnq'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, MB4KMJjykqUcLubKUk.cs	High entropy of concatenated method names: 'cVqcQbsJPM', 'OJScnanYaP', 'UBjcf85peG', 'G1McXObuMS', 'A1YcyKfLYE', 'UglcE2LBXd', 'pGVcFES8FC', 'O8ecqBoDTm', 'cPIchXWHES', 'FUYcmSHvqv'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, v64tpLhy33mL61UaAI.cs	High entropy of concatenated method names: 'iOya2dTpGU', 'vxJa4RloBd', 'vlpakAfWhI', 'YAdaJNh3W7', 'b9TaNJAXd3', 'IJUa7XIxo1', 'LmLas6hlP1', 'C9ea1L39cV', 'zvQa0ur3ZD', 'b0jaL426C7'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, PQ53gJWVd8IddGLpP8.cs	High entropy of concatenated method names: 'Dispose', 'ly43j4kWvc', 'JwbKnXPP4g', 'sMEbQJmEeX', 'zKY3V7X5Rq', 'eMD3zXsXBC', 'ProcessDialogKey', 'sbqKYB4KMJ', 'JkqK3UcLub', 'cUkKKRO210'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, irmIlg3YOoHouGGUlE5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AweOHTLD0Q', 'cGMO6QM7jk', 'lwdODjNgFv', 'ejhOBRKarT', 'qGtO9y9v51', 'oU7OMYsaOn', 'Gb4O8cU1qQ'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, C2B16ZAhZUhg5yRmrT.cs	High entropy of concatenated method names: 'bZ1pxhhNWT', 'CFypVUnHXU', 'Ge2UYBng3L', 'w4ZU3Y77Pi', 'AKmpHRp5Ut', 'DYEp6547jc', 'yFlpDAle87', 'kmkpB189Lt', 'eB7p9svVsy', 'xD6pMS97yS'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, rN64bOPEf9Hkr01Xum.cs	High entropy of concatenated method names: 'zGG3aEvnE9', 'jjn3bg9iin', 'LCS35R3Chx', 'NGP3twUPs3', 'bqE3IlvoIm', 'sKU3ZYiIJP', 'adxdvKcCPVNySLBrNK', 'c0XFLuhMCnouVtknOa', 'K4k33Xdmh4', 'Q9K3d6qpsp'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, fImcKUQYiIJP9FaN7S.cs	High entropy of concatenated method names: 'A9ZrlXsdM1', 'k2frWTRcJ4', 'T5ori19IDv', 'rvNraisHjR', 'uD7rb5UU5h', 'oxjiGjafJ0', 'KhTiAXPS8E', 'heoiRIm6X2', 'N3YixDYQw6', 'INOijlon98'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, WO210CVWKX4sdAkO93.cs	High entropy of concatenated method names: 'bYROC524wX', 'RENOiQZepX', 'BSqOrC24Ld', 'vXwOabsTkb', 'LwxOcsl1EA', 'vcROb4cdNx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.7a70000.4.raw.unpack, SeYS0t3dd3TbwZJiPBF.cs	High entropy of concatenated method names: 'KjGeVmgVUN', 'Oq2ezeXEhK', 'UregYk0uGc', 'TZPpDOnzXUp9p0NoZbo', 'EmiNaJvUcma1Qp5nZBA', 'FkQ7DqvRv7jvAHG928W', 'GaCMbHvFhaIqwggMC5G', 'CfhhUGvaalyqV7fumI2'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, MgRD5F0CSR3ChxmGPw.cs	High entropy of concatenated method names: 'pXQCJ6sg3L', 'JaOC7FBSut', 'a5hC1W9o6Y', 'S1EC04KjHh', 'iOGCIv8CDf', 'wnpCZgdFEt', 'WlFCpOO03c', 'EXZCU00cJU', 'xkLCcPQsut', 'anECOVj7j2'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, VNGmxyFSPOIO6PDsEQ.cs	High entropy of concatenated method names: 'u7JaoKseGd', 'mh0aCqwIRq', 'IgcarhPoxV', 'kJHrVhYDrQ', 'iSPrzFoBX0', 'eZvaYInTPK', 'Ptja3oQIjL', 'HOuaK4gTjY', 'cS9adSdMxB', 'r3BaPBDh2e'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, NSMLfC3PbG5twsnDMiK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HtngcoLhNc', 'JypgOgBc6V', 'DPqgepuArh', 'nOngghxSOu', 'CGjgSFIfRH', 'jDrgwiEEG1', 'oO7gvLlpav'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, tnvY0WKeW50lbO7QYX.cs	High entropy of concatenated method names: 'vfpk55ywS', 'JZpJ3y8n3', 'pnR7AGEK5', 'uPHsj6iUj', 'e8b0tcSgE', 'odfLwriSJ', 'i8PTHeeKixEch18y9x', 'RG5cRSkACes2kwcYhU', 'UVpUZlu91', 'x1kOJOYId'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, kTLO5sDbvsBSoTU9PN.cs	High entropy of concatenated method names: 'D61u1qNsV1', 'rCfu0VQFCV', 'lRcuQH5jIQ', 'cqdunrBf6X', 'eIkuX0eMs2', 'HMtuyBcP9s', 'O9XuFNhjTb', 'j6kuqrEYb5', 'wP5umHVKYh', 'pTvuHAJpfs'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, KSotuf33PGlfx7u0ED4.cs	High entropy of concatenated method names: 'CVIOVnGy72', 'WPOOzdKyyD', 'OXQeYWOE3N', 'm4Je3nR6JZ', 'syMeKTi7NA', 'db6edgwPOm', 'qFtePk6MVw', 'gKWelB0iQ2', 'QDneop3TNv', 'tEMeWO45eU'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, R9i4nCByS3qm1rI8IG.cs	High entropy of concatenated method names: 'NfZImlDS3j', 'KukI6WijUD', 'eU8IBaGhos', 'kBvI9WfRAi', 'qGqInLgJtR', 'mu1IfKZbmE', 'IFoIXFJ5KT', 'OscIyBHbNb', 'y0XIErG5vc', 't4ZIFQpE1b'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, UEvnE91ajng9iinvJL.cs	High entropy of concatenated method names: 'CgvWBxEyqw', 'MZ4W9M5w0v', 't0tWMnPGpP', 'xGJW8yHVRG', 'bwuWGqx7Td', 'bSCWAosnoX', 'OaoWR80liR', 'LyVWxreI0w', 'j3GWj7s8Pc', 'IylWVRtT9y'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, qPs3SdLurDE863qElv.cs	High entropy of concatenated method names: 'fI6iNITxDp', 'MbsisH3oVR', 'NyfCf3Kp4Z', 'd2gCXTUT8I', 'GcrCyWXnXp', 'm5SCEvJjdv', 'RvnCFO8Oqe', 'peoCqY607d', 'ETpChEq9Lo', 'Vv0CmG9Sha'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, lkM18OzYtoGT30nYvi.cs	High entropy of concatenated method names: 'TaRO7fpNxb', 'PksO1XsYAi', 'iiVO0hHZF2', 'nemOQIfoTa', 'xDOOnoCC10', 'VkSOXfDR16', 'IEsOyCm7sp', 'uAMOvkAcRk', 'w7KO2twMHJ', 'lwuO4RpZxE'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, tD4qspbKx1BYOSnDvw.cs	High entropy of concatenated method names: 'IRydlKkT20', 'WapdoWGkJv', 'xsqdWKT68a', 'qPLdCESZDJ', 'kYgdirWFgi', 'qo9drJK5eq', 'GZqdaKdBP9', 'wMddbv12aM', 'VkMdThxbcF', 'Pr0d5df9Jm'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, wTs4ZY8xu9yN6pANh7.cs	High entropy of concatenated method names: 'jPIp5h57VK', 'O6MptMXBAB', 'ToString', 'SJWpotwUKO', 'fvEpWmILKy', 'oiYpCIIBaP', 'GKRpiHIHdy', 'RZ1pr2yXYS', 'GL3parQcNO', 'T3ZpbgFvhR'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, gflhaORAA5y44kWvck.cs	High entropy of concatenated method names: 'A77cIK8iFQ', 'ktCcpolGtx', 'AiEccYPYwj', 'JuKceHdosm', 'QVmcSbAZ91', 'MducvQLNjP', 'Dispose', 'PAgUoCltC7', 'WXIUWaGkSH', 'xCUUCfGQnq'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, MB4KMJjykqUcLubKUk.cs	High entropy of concatenated method names: 'cVqcQbsJPM', 'OJScnanYaP', 'UBjcf85peG', 'G1McXObuMS', 'A1YcyKfLYE', 'UglcE2LBXd', 'pGVcFES8FC', 'O8ecqBoDTm', 'cPIchXWHES', 'FUYcmSHvqv'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, v64tpLhy33mL61UaAI.cs	High entropy of concatenated method names: 'iOya2dTpGU', 'vxJa4RloBd', 'vlpakAfWhI', 'YAdaJNh3W7', 'b9TaNJAXd3', 'IJUa7XIxo1', 'LmLas6hlP1', 'C9ea1L39cV', 'zvQa0ur3ZD', 'b0jaL426C7'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, PQ53gJWVd8IddGLpP8.cs	High entropy of concatenated method names: 'Dispose', 'ly43j4kWvc', 'JwbKnXPP4g', 'sMEbQJmEeX', 'zKY3V7X5Rq', 'eMD3zXsXBC', 'ProcessDialogKey', 'sbqKYB4KMJ', 'JkqK3UcLub', 'cUkKKRO210'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, irmIlg3YOoHouGGUlE5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AweOHTLD0Q', 'cGMO6QM7jk', 'lwdODjNgFv', 'ejhOBRKarT', 'qGtO9y9v51', 'oU7OMYsaOn', 'Gb4O8cU1qQ'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, C2B16ZAhZUhg5yRmrT.cs	High entropy of concatenated method names: 'bZ1pxhhNWT', 'CFypVUnHXU', 'Ge2UYBng3L', 'w4ZU3Y77Pi', 'AKmpHRp5Ut', 'DYEp6547jc', 'yFlpDAle87', 'kmkpB189Lt', 'eB7p9svVsy', 'xD6pMS97yS'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, rN64bOPEf9Hkr01Xum.cs	High entropy of concatenated method names: 'zGG3aEvnE9', 'jjn3bg9iin', 'LCS35R3Chx', 'NGP3twUPs3', 'bqE3IlvoIm', 'sKU3ZYiIJP', 'adxdvKcCPVNySLBrNK', 'c0XFLuhMCnouVtknOa', 'K4k33Xdmh4', 'Q9K3d6qpsp'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, fImcKUQYiIJP9FaN7S.cs	High entropy of concatenated method names: 'A9ZrlXsdM1', 'k2frWTRcJ4', 'T5ori19IDv', 'rvNraisHjR', 'uD7rb5UU5h', 'oxjiGjafJ0', 'KhTiAXPS8E', 'heoiRIm6X2', 'N3YixDYQw6', 'INOijlon98'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, WO210CVWKX4sdAkO93.cs	High entropy of concatenated method names: 'bYROC524wX', 'RENOiQZepX', 'BSqOrC24Ld', 'vXwOabsTkb', 'LwxOcsl1EA', 'vcROb4cdNx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 3.2.#U00d6DEME DETAYLARI 170325.exe.3ca8730.1.raw.unpack, SeYS0t3dd3TbwZJiPBF.cs	High entropy of concatenated method names: 'KjGeVmgVUN', 'Oq2ezeXEhK', 'UregYk0uGc', 'TZPpDOnzXUp9p0NoZbo', 'EmiNaJvUcma1Qp5nZBA', 'FkQ7DqvRv7jvAHG928W', 'GaCMbHvFhaIqwggMC5G', 'CfhhUGvaalyqV7fumI2'

Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_00B7CAB4 GetSystemDirectoryW,memset,GetPrivateProfileStringW,RegOpenKeyExW,RegDeleteValueW,RegDeleteValueW,RegCloseKey,CmFree,	11_2_00B7CAB4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_00B7A6EE GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,LoadStringW,LoadStringW,lstrlenW,lstrlenW,lstrlenW,LoadStringW,LoadStringW,MessageBoxW,LoadStringW,GetSystemDirectoryW,LoadStringW,MessageBoxW,	11_2_00B7A6EE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_00B75DEC memset,GetPrivateProfileStringW,GetModuleHandleA,GetProcAddress,GetCurrentProcess,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetProcAddress,GetProcAddress,FreeLibrary,	11_2_00B75DEC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_00B7B634 LoadStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileIntW,LoadStringW,MessageBoxW,CmFree,CmFree,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,LoadStringW,MessageBoxW,memset,memset,memset,RegOpenKeyExW,RegQueryValueExW,ExpandEnvironmentStringsW,lstrcmpiW,LoadStringW,MessageBoxW,RegCloseKey,LoadStringW,RegCreateKeyW,lstrlenW,RegSetValueExW,LoadStringW,MessageBoxW,RegCloseKey,RegCloseKey,memset,memset,CopyFileW,LoadStringW,MessageBoxW,GetOSVersion,GetOSMajorVersion,CmMalloc,memset,CmFree,CmMalloc,memset,GetLastError,CmFree,lstrlenW,CmMalloc,lstrlenW,CmFree,CmFree,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,LoadStringW,MessageBoxExW,CmMalloc,memset,CmFree,CmMalloc,	11_2_00B7B634
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_00B7D233 RegOpenKeyExW,GetPrivateProfileIntW,GetSystemDirectoryW,memset,GetPrivateProfileStringW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,memset,RegEnumValueW,RegCloseKey,	11_2_00B7D233
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_00B7DD1E memset,memset,memset,memset,LoadStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,RegCreateKeyExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegCloseKey,lstrlenW,memset,lstrlenW,lstrlenW,RegSetValueExW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,CmMalloc,CreateFileW,CloseHandle,CmFree,CmFree,GetPrivateProfileIntW,SetFileAttributesW,SHFileOperationW,RegCloseKey,RegCloseKey,	11_2_00B7DD1E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_00B7A47F RegOpenKeyExW,RegQueryValueExW,GetPrivateProfileIntW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,	11_2_00B7A47F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_00B7A068 memset,memset,RegOpenKeyExW,RegQueryValueExW,lstrcmpiW,LoadStringW,MessageBoxW,RegCloseKey,GetPrivateProfileIntW,GetPrivateProfileIntW,LoadStringW,LoadStringW,LoadStringW,MessageBoxW,GetSystemDirectoryW,	11_2_00B7A068

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xEC

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: #U00d6DEME DETAYLARI 170325.exe PID: 7948, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	API/Special instruction interceptor: Address: 7FF84F7AD324
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	API/Special instruction interceptor: Address: 7FF84F7B0774
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	API/Special instruction interceptor: Address: 7FF84F7B0154
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	API/Special instruction interceptor: Address: 7FF84F7AD8A4
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	API/Special instruction interceptor: Address: 7FF84F7ADA44
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	API/Special instruction interceptor: Address: 7FF84F7AD1E4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF84F7AD324
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF84F7B0774
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF84F7AD944
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF84F7AD504
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF84F7AD544
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF84F7AD1E4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF84F7B0154
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF84F7AD8A4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF84F7ADA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 829904 second address: 82990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 829B6E second address: 829B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Memory allocated: 1060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Memory allocated: 4A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Memory allocated: 91D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Memory allocated: 7BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Memory allocated: A1D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Memory allocated: B1D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe

Code function: 9_2_00409AA0 rdtsc

9_2_00409AA0

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6135	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3611	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4165	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5755	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 876	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 868	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Window / User API: threadDelayed 785	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Window / User API: threadDelayed 9186	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_10-13964

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	API coverage: 1.7 %
Source: C:\Windows\SysWOW64\cmstp.exe	API coverage: 1.5 %

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe TID: 8044	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6776	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3444	Thread sleep count: 4165 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3444	Thread sleep time: -8330000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3444	Thread sleep count: 5755 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3444	Thread sleep time: -11510000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 6752	Thread sleep count: 785 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 6752	Thread sleep time: -1570000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 6752	Thread sleep count: 9186 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 6752	Thread sleep time: -18372000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\SysWOW64\cmstp.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmstp.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_00B7B3C4 memset,GetPrivateProfileStringW,FindFirstFileW,memset,FindNextFileW,		11_2_00B7B3C4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_00B7894B memset,memset,memset,SHGetFolderPathW,memset,SHGetFolderPathW,CmFree,memset,FindFirstFileW,GetLastError,memset,memset,FindNextFileW,FindClose,		11_2_00B7894B

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: 11_2_00B7F80E GetSystemInfo,GetVersionExW,

11_2_00B7F80E

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 0000000A.00000002.2558052578.0000000009866000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000A.00000002.2558052578.0000000009716000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: #U00d6DEME DETAYLARI 170325.exe, 00000003.00000002.1305433507.0000000000DB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000002.2554340937.0000000003160000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: explorer.exe, 0000000A.00000002.2558052578.000000000976E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2558052578.0000000009604000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1324844652.0000000009604000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1324844652.000000000976E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1324844652.0000000009716000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2558052578.0000000009716000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000A.00000002.2554340937.0000000003160000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: explorer.exe, 0000000A.00000002.2558052578.0000000009866000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: #U00d6DEME DETAYLARI 170325.exe, 00000003.00000002.1305433507.0000000000DB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\|
Source: explorer.exe, 0000000A.00000000.1312936026.0000000000A28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000000A.00000000.1312936026.0000000000A28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 0000000A.00000000.1324844652.000000000976E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.1319193716.00000000071C7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe

Code function: 9_2_00409AA0 rdtsc

9_2_00409AA0

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe

Code function: 9_2_0040ACE0 LdrLoadDll,

9_2_0040ACE0

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107E10E mov eax, dword ptr fs:[00000030h]	9_2_0107E10E
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107E10E mov ecx, dword ptr fs:[00000030h]	9_2_0107E10E
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107E10E mov eax, dword ptr fs:[00000030h]	9_2_0107E10E
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107E10E mov eax, dword ptr fs:[00000030h]	9_2_0107E10E
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107E10E mov ecx, dword ptr fs:[00000030h]	9_2_0107E10E
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107E10E mov eax, dword ptr fs:[00000030h]	9_2_0107E10E
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107E10E mov eax, dword ptr fs:[00000030h]	9_2_0107E10E
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107E10E mov ecx, dword ptr fs:[00000030h]	9_2_0107E10E
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107E10E mov eax, dword ptr fs:[00000030h]	9_2_0107E10E
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107E10E mov ecx, dword ptr fs:[00000030h]	9_2_0107E10E
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FCC0F0 mov eax, dword ptr fs:[00000030h]	9_2_00FCC0F0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD80E9 mov eax, dword ptr fs:[00000030h]	9_2_00FD80E9
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01090115 mov eax, dword ptr fs:[00000030h]	9_2_01090115
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FCA0E3 mov ecx, dword ptr fs:[00000030h]	9_2_00FCA0E3
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107A118 mov ecx, dword ptr fs:[00000030h]	9_2_0107A118
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107A118 mov eax, dword ptr fs:[00000030h]	9_2_0107A118
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107A118 mov eax, dword ptr fs:[00000030h]	9_2_0107A118
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107A118 mov eax, dword ptr fs:[00000030h]	9_2_0107A118
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01000124 mov eax, dword ptr fs:[00000030h]	9_2_01000124
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01064144 mov eax, dword ptr fs:[00000030h]	9_2_01064144
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01064144 mov eax, dword ptr fs:[00000030h]	9_2_01064144
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01064144 mov ecx, dword ptr fs:[00000030h]	9_2_01064144
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01064144 mov eax, dword ptr fs:[00000030h]	9_2_01064144
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01064144 mov eax, dword ptr fs:[00000030h]	9_2_01064144
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01068158 mov eax, dword ptr fs:[00000030h]	9_2_01068158
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD208A mov eax, dword ptr fs:[00000030h]	9_2_00FD208A
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0108C188 mov eax, dword ptr fs:[00000030h]	9_2_0108C188
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0108C188 mov eax, dword ptr fs:[00000030h]	9_2_0108C188
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01010185 mov eax, dword ptr fs:[00000030h]	9_2_01010185
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01074180 mov eax, dword ptr fs:[00000030h]	9_2_01074180
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01074180 mov eax, dword ptr fs:[00000030h]	9_2_01074180
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFC073 mov eax, dword ptr fs:[00000030h]	9_2_00FFC073
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105019F mov eax, dword ptr fs:[00000030h]	9_2_0105019F
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105019F mov eax, dword ptr fs:[00000030h]	9_2_0105019F
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105019F mov eax, dword ptr fs:[00000030h]	9_2_0105019F
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105019F mov eax, dword ptr fs:[00000030h]	9_2_0105019F
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD2050 mov eax, dword ptr fs:[00000030h]	9_2_00FD2050
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010961C3 mov eax, dword ptr fs:[00000030h]	9_2_010961C3
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010961C3 mov eax, dword ptr fs:[00000030h]	9_2_010961C3
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0104E1D0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0104E1D0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104E1D0 mov ecx, dword ptr fs:[00000030h]	9_2_0104E1D0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0104E1D0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0104E1D0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FCA020 mov eax, dword ptr fs:[00000030h]	9_2_00FCA020
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FCC020 mov eax, dword ptr fs:[00000030h]	9_2_00FCC020
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FEE016 mov eax, dword ptr fs:[00000030h]	9_2_00FEE016
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FEE016 mov eax, dword ptr fs:[00000030h]	9_2_00FEE016
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FEE016 mov eax, dword ptr fs:[00000030h]	9_2_00FEE016
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FEE016 mov eax, dword ptr fs:[00000030h]	9_2_00FEE016
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010A61E5 mov eax, dword ptr fs:[00000030h]	9_2_010A61E5
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010001F8 mov eax, dword ptr fs:[00000030h]	9_2_010001F8
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01054000 mov ecx, dword ptr fs:[00000030h]	9_2_01054000
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01072000 mov eax, dword ptr fs:[00000030h]	9_2_01072000
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01072000 mov eax, dword ptr fs:[00000030h]	9_2_01072000
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01072000 mov eax, dword ptr fs:[00000030h]	9_2_01072000
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01072000 mov eax, dword ptr fs:[00000030h]	9_2_01072000
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01072000 mov eax, dword ptr fs:[00000030h]	9_2_01072000
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01072000 mov eax, dword ptr fs:[00000030h]	9_2_01072000
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01072000 mov eax, dword ptr fs:[00000030h]	9_2_01072000
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01072000 mov eax, dword ptr fs:[00000030h]	9_2_01072000
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01066030 mov eax, dword ptr fs:[00000030h]	9_2_01066030
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01056050 mov eax, dword ptr fs:[00000030h]	9_2_01056050
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FCA197 mov eax, dword ptr fs:[00000030h]	9_2_00FCA197
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FCA197 mov eax, dword ptr fs:[00000030h]	9_2_00FCA197
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FCA197 mov eax, dword ptr fs:[00000030h]	9_2_00FCA197
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD6154 mov eax, dword ptr fs:[00000030h]	9_2_00FD6154
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD6154 mov eax, dword ptr fs:[00000030h]	9_2_00FD6154
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FCC156 mov eax, dword ptr fs:[00000030h]	9_2_00FCC156
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010680A8 mov eax, dword ptr fs:[00000030h]	9_2_010680A8
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010960B8 mov eax, dword ptr fs:[00000030h]	9_2_010960B8
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010960B8 mov ecx, dword ptr fs:[00000030h]	9_2_010960B8
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010520DE mov eax, dword ptr fs:[00000030h]	9_2_010520DE
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010560E0 mov eax, dword ptr fs:[00000030h]	9_2_010560E0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010120F0 mov ecx, dword ptr fs:[00000030h]	9_2_010120F0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100A30B mov eax, dword ptr fs:[00000030h]	9_2_0100A30B
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100A30B mov eax, dword ptr fs:[00000030h]	9_2_0100A30B
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100A30B mov eax, dword ptr fs:[00000030h]	9_2_0100A30B
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE02E1 mov eax, dword ptr fs:[00000030h]	9_2_00FE02E1
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE02E1 mov eax, dword ptr fs:[00000030h]	9_2_00FE02E1
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE02E1 mov eax, dword ptr fs:[00000030h]	9_2_00FE02E1
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDA2C3 mov eax, dword ptr fs:[00000030h]	9_2_00FDA2C3
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDA2C3 mov eax, dword ptr fs:[00000030h]	9_2_00FDA2C3
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDA2C3 mov eax, dword ptr fs:[00000030h]	9_2_00FDA2C3
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDA2C3 mov eax, dword ptr fs:[00000030h]	9_2_00FDA2C3
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDA2C3 mov eax, dword ptr fs:[00000030h]	9_2_00FDA2C3
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01052349 mov eax, dword ptr fs:[00000030h]	9_2_01052349
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01052349 mov eax, dword ptr fs:[00000030h]	9_2_01052349
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01052349 mov eax, dword ptr fs:[00000030h]	9_2_01052349
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01052349 mov eax, dword ptr fs:[00000030h]	9_2_01052349
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01052349 mov eax, dword ptr fs:[00000030h]	9_2_01052349
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01052349 mov eax, dword ptr fs:[00000030h]	9_2_01052349
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01052349 mov eax, dword ptr fs:[00000030h]	9_2_01052349
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01052349 mov eax, dword ptr fs:[00000030h]	9_2_01052349
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01052349 mov eax, dword ptr fs:[00000030h]	9_2_01052349
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01052349 mov eax, dword ptr fs:[00000030h]	9_2_01052349
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01052349 mov eax, dword ptr fs:[00000030h]	9_2_01052349
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01052349 mov eax, dword ptr fs:[00000030h]	9_2_01052349
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01052349 mov eax, dword ptr fs:[00000030h]	9_2_01052349
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01052349 mov eax, dword ptr fs:[00000030h]	9_2_01052349
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01052349 mov eax, dword ptr fs:[00000030h]	9_2_01052349
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01078350 mov ecx, dword ptr fs:[00000030h]	9_2_01078350
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105035C mov eax, dword ptr fs:[00000030h]	9_2_0105035C
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105035C mov eax, dword ptr fs:[00000030h]	9_2_0105035C
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105035C mov eax, dword ptr fs:[00000030h]	9_2_0105035C
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105035C mov ecx, dword ptr fs:[00000030h]	9_2_0105035C
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105035C mov eax, dword ptr fs:[00000030h]	9_2_0105035C
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105035C mov eax, dword ptr fs:[00000030h]	9_2_0105035C
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0109A352 mov eax, dword ptr fs:[00000030h]	9_2_0109A352
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE02A0 mov eax, dword ptr fs:[00000030h]	9_2_00FE02A0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE02A0 mov eax, dword ptr fs:[00000030h]	9_2_00FE02A0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107437C mov eax, dword ptr fs:[00000030h]	9_2_0107437C
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FC826B mov eax, dword ptr fs:[00000030h]	9_2_00FC826B
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD4260 mov eax, dword ptr fs:[00000030h]	9_2_00FD4260
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD4260 mov eax, dword ptr fs:[00000030h]	9_2_00FD4260
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD4260 mov eax, dword ptr fs:[00000030h]	9_2_00FD4260
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD6259 mov eax, dword ptr fs:[00000030h]	9_2_00FD6259
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FCA250 mov eax, dword ptr fs:[00000030h]	9_2_00FCA250
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0108C3CD mov eax, dword ptr fs:[00000030h]	9_2_0108C3CD
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010563C0 mov eax, dword ptr fs:[00000030h]	9_2_010563C0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FC823B mov eax, dword ptr fs:[00000030h]	9_2_00FC823B
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010743D4 mov eax, dword ptr fs:[00000030h]	9_2_010743D4
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010743D4 mov eax, dword ptr fs:[00000030h]	9_2_010743D4
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107E3DB mov eax, dword ptr fs:[00000030h]	9_2_0107E3DB
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107E3DB mov eax, dword ptr fs:[00000030h]	9_2_0107E3DB
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107E3DB mov ecx, dword ptr fs:[00000030h]	9_2_0107E3DB
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107E3DB mov eax, dword ptr fs:[00000030h]	9_2_0107E3DB
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010063FF mov eax, dword ptr fs:[00000030h]	9_2_010063FF
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FEE3F0 mov eax, dword ptr fs:[00000030h]	9_2_00FEE3F0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FEE3F0 mov eax, dword ptr fs:[00000030h]	9_2_00FEE3F0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FEE3F0 mov eax, dword ptr fs:[00000030h]	9_2_00FEE3F0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE03E9 mov eax, dword ptr fs:[00000030h]	9_2_00FE03E9
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE03E9 mov eax, dword ptr fs:[00000030h]	9_2_00FE03E9
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE03E9 mov eax, dword ptr fs:[00000030h]	9_2_00FE03E9
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE03E9 mov eax, dword ptr fs:[00000030h]	9_2_00FE03E9
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE03E9 mov eax, dword ptr fs:[00000030h]	9_2_00FE03E9
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE03E9 mov eax, dword ptr fs:[00000030h]	9_2_00FE03E9
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE03E9 mov eax, dword ptr fs:[00000030h]	9_2_00FE03E9
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE03E9 mov eax, dword ptr fs:[00000030h]	9_2_00FE03E9
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD83C0 mov eax, dword ptr fs:[00000030h]	9_2_00FD83C0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD83C0 mov eax, dword ptr fs:[00000030h]	9_2_00FD83C0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD83C0 mov eax, dword ptr fs:[00000030h]	9_2_00FD83C0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD83C0 mov eax, dword ptr fs:[00000030h]	9_2_00FD83C0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDA3C0 mov eax, dword ptr fs:[00000030h]	9_2_00FDA3C0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDA3C0 mov eax, dword ptr fs:[00000030h]	9_2_00FDA3C0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDA3C0 mov eax, dword ptr fs:[00000030h]	9_2_00FDA3C0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDA3C0 mov eax, dword ptr fs:[00000030h]	9_2_00FDA3C0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDA3C0 mov eax, dword ptr fs:[00000030h]	9_2_00FDA3C0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDA3C0 mov eax, dword ptr fs:[00000030h]	9_2_00FDA3C0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01058243 mov eax, dword ptr fs:[00000030h]	9_2_01058243
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01058243 mov ecx, dword ptr fs:[00000030h]	9_2_01058243
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0108A250 mov eax, dword ptr fs:[00000030h]	9_2_0108A250
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0108A250 mov eax, dword ptr fs:[00000030h]	9_2_0108A250
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FC8397 mov eax, dword ptr fs:[00000030h]	9_2_00FC8397
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FC8397 mov eax, dword ptr fs:[00000030h]	9_2_00FC8397
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FC8397 mov eax, dword ptr fs:[00000030h]	9_2_00FC8397
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF438F mov eax, dword ptr fs:[00000030h]	9_2_00FF438F
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF438F mov eax, dword ptr fs:[00000030h]	9_2_00FF438F
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FCE388 mov eax, dword ptr fs:[00000030h]	9_2_00FCE388
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FCE388 mov eax, dword ptr fs:[00000030h]	9_2_00FCE388
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FCE388 mov eax, dword ptr fs:[00000030h]	9_2_00FCE388
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01080274 mov eax, dword ptr fs:[00000030h]	9_2_01080274
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01080274 mov eax, dword ptr fs:[00000030h]	9_2_01080274
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01080274 mov eax, dword ptr fs:[00000030h]	9_2_01080274
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01080274 mov eax, dword ptr fs:[00000030h]	9_2_01080274
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01080274 mov eax, dword ptr fs:[00000030h]	9_2_01080274
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01080274 mov eax, dword ptr fs:[00000030h]	9_2_01080274
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01080274 mov eax, dword ptr fs:[00000030h]	9_2_01080274
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01080274 mov eax, dword ptr fs:[00000030h]	9_2_01080274
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01080274 mov eax, dword ptr fs:[00000030h]	9_2_01080274
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01080274 mov eax, dword ptr fs:[00000030h]	9_2_01080274
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01080274 mov eax, dword ptr fs:[00000030h]	9_2_01080274
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01080274 mov eax, dword ptr fs:[00000030h]	9_2_01080274
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100E284 mov eax, dword ptr fs:[00000030h]	9_2_0100E284
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100E284 mov eax, dword ptr fs:[00000030h]	9_2_0100E284
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01050283 mov eax, dword ptr fs:[00000030h]	9_2_01050283
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01050283 mov eax, dword ptr fs:[00000030h]	9_2_01050283
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01050283 mov eax, dword ptr fs:[00000030h]	9_2_01050283
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010662A0 mov eax, dword ptr fs:[00000030h]	9_2_010662A0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010662A0 mov ecx, dword ptr fs:[00000030h]	9_2_010662A0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010662A0 mov eax, dword ptr fs:[00000030h]	9_2_010662A0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010662A0 mov eax, dword ptr fs:[00000030h]	9_2_010662A0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010662A0 mov eax, dword ptr fs:[00000030h]	9_2_010662A0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010662A0 mov eax, dword ptr fs:[00000030h]	9_2_010662A0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FCC310 mov ecx, dword ptr fs:[00000030h]	9_2_00FCC310
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF0310 mov ecx, dword ptr fs:[00000030h]	9_2_00FF0310
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01066500 mov eax, dword ptr fs:[00000030h]	9_2_01066500
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010A4500 mov eax, dword ptr fs:[00000030h]	9_2_010A4500
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010A4500 mov eax, dword ptr fs:[00000030h]	9_2_010A4500
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010A4500 mov eax, dword ptr fs:[00000030h]	9_2_010A4500
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010A4500 mov eax, dword ptr fs:[00000030h]	9_2_010A4500
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010A4500 mov eax, dword ptr fs:[00000030h]	9_2_010A4500
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010A4500 mov eax, dword ptr fs:[00000030h]	9_2_010A4500
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010A4500 mov eax, dword ptr fs:[00000030h]	9_2_010A4500
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD04E5 mov ecx, dword ptr fs:[00000030h]	9_2_00FD04E5
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD64AB mov eax, dword ptr fs:[00000030h]	9_2_00FD64AB
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100656A mov eax, dword ptr fs:[00000030h]	9_2_0100656A
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100656A mov eax, dword ptr fs:[00000030h]	9_2_0100656A
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100656A mov eax, dword ptr fs:[00000030h]	9_2_0100656A
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01004588 mov eax, dword ptr fs:[00000030h]	9_2_01004588
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFA470 mov eax, dword ptr fs:[00000030h]	9_2_00FFA470
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFA470 mov eax, dword ptr fs:[00000030h]	9_2_00FFA470
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFA470 mov eax, dword ptr fs:[00000030h]	9_2_00FFA470
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100E59C mov eax, dword ptr fs:[00000030h]	9_2_0100E59C
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FC645D mov eax, dword ptr fs:[00000030h]	9_2_00FC645D
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010505A7 mov eax, dword ptr fs:[00000030h]	9_2_010505A7
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010505A7 mov eax, dword ptr fs:[00000030h]	9_2_010505A7
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010505A7 mov eax, dword ptr fs:[00000030h]	9_2_010505A7
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF245A mov eax, dword ptr fs:[00000030h]	9_2_00FF245A
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100E5CF mov eax, dword ptr fs:[00000030h]	9_2_0100E5CF
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100E5CF mov eax, dword ptr fs:[00000030h]	9_2_0100E5CF
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100A5D0 mov eax, dword ptr fs:[00000030h]	9_2_0100A5D0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100A5D0 mov eax, dword ptr fs:[00000030h]	9_2_0100A5D0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FCC427 mov eax, dword ptr fs:[00000030h]	9_2_00FCC427
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FCE420 mov eax, dword ptr fs:[00000030h]	9_2_00FCE420
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FCE420 mov eax, dword ptr fs:[00000030h]	9_2_00FCE420
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FCE420 mov eax, dword ptr fs:[00000030h]	9_2_00FCE420
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100C5ED mov eax, dword ptr fs:[00000030h]	9_2_0100C5ED
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100C5ED mov eax, dword ptr fs:[00000030h]	9_2_0100C5ED
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01008402 mov eax, dword ptr fs:[00000030h]	9_2_01008402
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01008402 mov eax, dword ptr fs:[00000030h]	9_2_01008402
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01008402 mov eax, dword ptr fs:[00000030h]	9_2_01008402
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]	9_2_00FFE5E7
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]	9_2_00FFE5E7
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]	9_2_00FFE5E7
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]	9_2_00FFE5E7
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]	9_2_00FFE5E7
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]	9_2_00FFE5E7
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]	9_2_00FFE5E7
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]	9_2_00FFE5E7
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD25E0 mov eax, dword ptr fs:[00000030h]	9_2_00FD25E0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01056420 mov eax, dword ptr fs:[00000030h]	9_2_01056420
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01056420 mov eax, dword ptr fs:[00000030h]	9_2_01056420
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01056420 mov eax, dword ptr fs:[00000030h]	9_2_01056420
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01056420 mov eax, dword ptr fs:[00000030h]	9_2_01056420
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01056420 mov eax, dword ptr fs:[00000030h]	9_2_01056420
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01056420 mov eax, dword ptr fs:[00000030h]	9_2_01056420
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01056420 mov eax, dword ptr fs:[00000030h]	9_2_01056420
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD65D0 mov eax, dword ptr fs:[00000030h]	9_2_00FD65D0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100A430 mov eax, dword ptr fs:[00000030h]	9_2_0100A430
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100E443 mov eax, dword ptr fs:[00000030h]	9_2_0100E443
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100E443 mov eax, dword ptr fs:[00000030h]	9_2_0100E443
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100E443 mov eax, dword ptr fs:[00000030h]	9_2_0100E443
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100E443 mov eax, dword ptr fs:[00000030h]	9_2_0100E443
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100E443 mov eax, dword ptr fs:[00000030h]	9_2_0100E443
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100E443 mov eax, dword ptr fs:[00000030h]	9_2_0100E443
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100E443 mov eax, dword ptr fs:[00000030h]	9_2_0100E443
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100E443 mov eax, dword ptr fs:[00000030h]	9_2_0100E443
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF45B1 mov eax, dword ptr fs:[00000030h]	9_2_00FF45B1
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF45B1 mov eax, dword ptr fs:[00000030h]	9_2_00FF45B1
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0108A456 mov eax, dword ptr fs:[00000030h]	9_2_0108A456
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105C460 mov ecx, dword ptr fs:[00000030h]	9_2_0105C460
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD2582 mov eax, dword ptr fs:[00000030h]	9_2_00FD2582
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD2582 mov ecx, dword ptr fs:[00000030h]	9_2_00FD2582
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0108A49A mov eax, dword ptr fs:[00000030h]	9_2_0108A49A
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD8550 mov eax, dword ptr fs:[00000030h]	9_2_00FD8550
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD8550 mov eax, dword ptr fs:[00000030h]	9_2_00FD8550
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010044B0 mov ecx, dword ptr fs:[00000030h]	9_2_010044B0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105A4B0 mov eax, dword ptr fs:[00000030h]	9_2_0105A4B0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFE53E mov eax, dword ptr fs:[00000030h]	9_2_00FFE53E
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFE53E mov eax, dword ptr fs:[00000030h]	9_2_00FFE53E
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFE53E mov eax, dword ptr fs:[00000030h]	9_2_00FFE53E
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFE53E mov eax, dword ptr fs:[00000030h]	9_2_00FFE53E
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFE53E mov eax, dword ptr fs:[00000030h]	9_2_00FFE53E
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0535 mov eax, dword ptr fs:[00000030h]	9_2_00FE0535
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0535 mov eax, dword ptr fs:[00000030h]	9_2_00FE0535
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0535 mov eax, dword ptr fs:[00000030h]	9_2_00FE0535
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0535 mov eax, dword ptr fs:[00000030h]	9_2_00FE0535
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0535 mov eax, dword ptr fs:[00000030h]	9_2_00FE0535
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0535 mov eax, dword ptr fs:[00000030h]	9_2_00FE0535
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100C700 mov eax, dword ptr fs:[00000030h]	9_2_0100C700
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01000710 mov eax, dword ptr fs:[00000030h]	9_2_01000710
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100C720 mov eax, dword ptr fs:[00000030h]	9_2_0100C720
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100C720 mov eax, dword ptr fs:[00000030h]	9_2_0100C720
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104C730 mov eax, dword ptr fs:[00000030h]	9_2_0104C730
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100273C mov eax, dword ptr fs:[00000030h]	9_2_0100273C
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100273C mov ecx, dword ptr fs:[00000030h]	9_2_0100273C
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100273C mov eax, dword ptr fs:[00000030h]	9_2_0100273C
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100674D mov esi, dword ptr fs:[00000030h]	9_2_0100674D
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100674D mov eax, dword ptr fs:[00000030h]	9_2_0100674D
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100674D mov eax, dword ptr fs:[00000030h]	9_2_0100674D
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01054755 mov eax, dword ptr fs:[00000030h]	9_2_01054755
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012750 mov eax, dword ptr fs:[00000030h]	9_2_01012750
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012750 mov eax, dword ptr fs:[00000030h]	9_2_01012750
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105E75D mov eax, dword ptr fs:[00000030h]	9_2_0105E75D
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD4690 mov eax, dword ptr fs:[00000030h]	9_2_00FD4690
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD4690 mov eax, dword ptr fs:[00000030h]	9_2_00FD4690
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107678E mov eax, dword ptr fs:[00000030h]	9_2_0107678E
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010847A0 mov eax, dword ptr fs:[00000030h]	9_2_010847A0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FEC640 mov eax, dword ptr fs:[00000030h]	9_2_00FEC640
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010507C3 mov eax, dword ptr fs:[00000030h]	9_2_010507C3
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD262C mov eax, dword ptr fs:[00000030h]	9_2_00FD262C
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FEE627 mov eax, dword ptr fs:[00000030h]	9_2_00FEE627
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105E7E1 mov eax, dword ptr fs:[00000030h]	9_2_0105E7E1
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE260B mov eax, dword ptr fs:[00000030h]	9_2_00FE260B
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE260B mov eax, dword ptr fs:[00000030h]	9_2_00FE260B
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE260B mov eax, dword ptr fs:[00000030h]	9_2_00FE260B
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE260B mov eax, dword ptr fs:[00000030h]	9_2_00FE260B
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE260B mov eax, dword ptr fs:[00000030h]	9_2_00FE260B
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE260B mov eax, dword ptr fs:[00000030h]	9_2_00FE260B
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE260B mov eax, dword ptr fs:[00000030h]	9_2_00FE260B
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD47FB mov eax, dword ptr fs:[00000030h]	9_2_00FD47FB
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD47FB mov eax, dword ptr fs:[00000030h]	9_2_00FD47FB
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104E609 mov eax, dword ptr fs:[00000030h]	9_2_0104E609
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF27ED mov eax, dword ptr fs:[00000030h]	9_2_00FF27ED
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF27ED mov eax, dword ptr fs:[00000030h]	9_2_00FF27ED
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF27ED mov eax, dword ptr fs:[00000030h]	9_2_00FF27ED
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01012619 mov eax, dword ptr fs:[00000030h]	9_2_01012619
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01006620 mov eax, dword ptr fs:[00000030h]	9_2_01006620
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01008620 mov eax, dword ptr fs:[00000030h]	9_2_01008620
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDC7C0 mov eax, dword ptr fs:[00000030h]	9_2_00FDC7C0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD07AF mov eax, dword ptr fs:[00000030h]	9_2_00FD07AF
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100A660 mov eax, dword ptr fs:[00000030h]	9_2_0100A660
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100A660 mov eax, dword ptr fs:[00000030h]	9_2_0100A660
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0109866E mov eax, dword ptr fs:[00000030h]	9_2_0109866E
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0109866E mov eax, dword ptr fs:[00000030h]	9_2_0109866E
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01002674 mov eax, dword ptr fs:[00000030h]	9_2_01002674
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD8770 mov eax, dword ptr fs:[00000030h]	9_2_00FD8770
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0770 mov eax, dword ptr fs:[00000030h]	9_2_00FE0770
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0770 mov eax, dword ptr fs:[00000030h]	9_2_00FE0770
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0770 mov eax, dword ptr fs:[00000030h]	9_2_00FE0770
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0770 mov eax, dword ptr fs:[00000030h]	9_2_00FE0770
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0770 mov eax, dword ptr fs:[00000030h]	9_2_00FE0770
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0770 mov eax, dword ptr fs:[00000030h]	9_2_00FE0770
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0770 mov eax, dword ptr fs:[00000030h]	9_2_00FE0770
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0770 mov eax, dword ptr fs:[00000030h]	9_2_00FE0770
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0770 mov eax, dword ptr fs:[00000030h]	9_2_00FE0770
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0770 mov eax, dword ptr fs:[00000030h]	9_2_00FE0770
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0770 mov eax, dword ptr fs:[00000030h]	9_2_00FE0770
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0770 mov eax, dword ptr fs:[00000030h]	9_2_00FE0770
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100C6A6 mov eax, dword ptr fs:[00000030h]	9_2_0100C6A6
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD0750 mov eax, dword ptr fs:[00000030h]	9_2_00FD0750
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010066B0 mov eax, dword ptr fs:[00000030h]	9_2_010066B0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100A6C7 mov ebx, dword ptr fs:[00000030h]	9_2_0100A6C7
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100A6C7 mov eax, dword ptr fs:[00000030h]	9_2_0100A6C7
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD0710 mov eax, dword ptr fs:[00000030h]	9_2_00FD0710
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010506F1 mov eax, dword ptr fs:[00000030h]	9_2_010506F1
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010506F1 mov eax, dword ptr fs:[00000030h]	9_2_010506F1
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0104E6F2
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0104E6F2
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0104E6F2
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0104E6F2
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104E908 mov eax, dword ptr fs:[00000030h]	9_2_0104E908
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104E908 mov eax, dword ptr fs:[00000030h]	9_2_0104E908
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105C912 mov eax, dword ptr fs:[00000030h]	9_2_0105C912
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0106892B mov eax, dword ptr fs:[00000030h]	9_2_0106892B
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105892A mov eax, dword ptr fs:[00000030h]	9_2_0105892A
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFE8C0 mov eax, dword ptr fs:[00000030h]	9_2_00FFE8C0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01050946 mov eax, dword ptr fs:[00000030h]	9_2_01050946
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0101096E mov eax, dword ptr fs:[00000030h]	9_2_0101096E
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0101096E mov edx, dword ptr fs:[00000030h]	9_2_0101096E
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0101096E mov eax, dword ptr fs:[00000030h]	9_2_0101096E
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105C97C mov eax, dword ptr fs:[00000030h]	9_2_0105C97C
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD0887 mov eax, dword ptr fs:[00000030h]	9_2_00FD0887
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01074978 mov eax, dword ptr fs:[00000030h]	9_2_01074978
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01074978 mov eax, dword ptr fs:[00000030h]	9_2_01074978
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD4859 mov eax, dword ptr fs:[00000030h]	9_2_00FD4859
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD4859 mov eax, dword ptr fs:[00000030h]	9_2_00FD4859
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010589B3 mov esi, dword ptr fs:[00000030h]	9_2_010589B3
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010589B3 mov eax, dword ptr fs:[00000030h]	9_2_010589B3
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010589B3 mov eax, dword ptr fs:[00000030h]	9_2_010589B3
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE2840 mov ecx, dword ptr fs:[00000030h]	9_2_00FE2840
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010669C0 mov eax, dword ptr fs:[00000030h]	9_2_010669C0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF2835 mov eax, dword ptr fs:[00000030h]	9_2_00FF2835
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF2835 mov eax, dword ptr fs:[00000030h]	9_2_00FF2835
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF2835 mov eax, dword ptr fs:[00000030h]	9_2_00FF2835
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF2835 mov ecx, dword ptr fs:[00000030h]	9_2_00FF2835
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF2835 mov eax, dword ptr fs:[00000030h]	9_2_00FF2835
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF2835 mov eax, dword ptr fs:[00000030h]	9_2_00FF2835
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010049D0 mov eax, dword ptr fs:[00000030h]	9_2_010049D0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0109A9D3 mov eax, dword ptr fs:[00000030h]	9_2_0109A9D3
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105E9E0 mov eax, dword ptr fs:[00000030h]	9_2_0105E9E0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010029F9 mov eax, dword ptr fs:[00000030h]	9_2_010029F9
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010029F9 mov eax, dword ptr fs:[00000030h]	9_2_010029F9
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105C810 mov eax, dword ptr fs:[00000030h]	9_2_0105C810
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDA9D0 mov eax, dword ptr fs:[00000030h]	9_2_00FDA9D0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDA9D0 mov eax, dword ptr fs:[00000030h]	9_2_00FDA9D0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDA9D0 mov eax, dword ptr fs:[00000030h]	9_2_00FDA9D0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDA9D0 mov eax, dword ptr fs:[00000030h]	9_2_00FDA9D0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDA9D0 mov eax, dword ptr fs:[00000030h]	9_2_00FDA9D0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDA9D0 mov eax, dword ptr fs:[00000030h]	9_2_00FDA9D0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100A830 mov eax, dword ptr fs:[00000030h]	9_2_0100A830
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107483A mov eax, dword ptr fs:[00000030h]	9_2_0107483A
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107483A mov eax, dword ptr fs:[00000030h]	9_2_0107483A
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD09AD mov eax, dword ptr fs:[00000030h]	9_2_00FD09AD
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD09AD mov eax, dword ptr fs:[00000030h]	9_2_00FD09AD
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01000854 mov eax, dword ptr fs:[00000030h]	9_2_01000854
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE29A0 mov eax, dword ptr fs:[00000030h]	9_2_00FE29A0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE29A0 mov eax, dword ptr fs:[00000030h]	9_2_00FE29A0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE29A0 mov eax, dword ptr fs:[00000030h]	9_2_00FE29A0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE29A0 mov eax, dword ptr fs:[00000030h]	9_2_00FE29A0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE29A0 mov eax, dword ptr fs:[00000030h]	9_2_00FE29A0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE29A0 mov eax, dword ptr fs:[00000030h]	9_2_00FE29A0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE29A0 mov eax, dword ptr fs:[00000030h]	9_2_00FE29A0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE29A0 mov eax, dword ptr fs:[00000030h]	9_2_00FE29A0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE29A0 mov eax, dword ptr fs:[00000030h]	9_2_00FE29A0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE29A0 mov eax, dword ptr fs:[00000030h]	9_2_00FE29A0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE29A0 mov eax, dword ptr fs:[00000030h]	9_2_00FE29A0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE29A0 mov eax, dword ptr fs:[00000030h]	9_2_00FE29A0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE29A0 mov eax, dword ptr fs:[00000030h]	9_2_00FE29A0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01066870 mov eax, dword ptr fs:[00000030h]	9_2_01066870
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01066870 mov eax, dword ptr fs:[00000030h]	9_2_01066870
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105E872 mov eax, dword ptr fs:[00000030h]	9_2_0105E872
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105E872 mov eax, dword ptr fs:[00000030h]	9_2_0105E872
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105C89D mov eax, dword ptr fs:[00000030h]	9_2_0105C89D
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF6962 mov eax, dword ptr fs:[00000030h]	9_2_00FF6962
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF6962 mov eax, dword ptr fs:[00000030h]	9_2_00FF6962
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF6962 mov eax, dword ptr fs:[00000030h]	9_2_00FF6962
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FC8918 mov eax, dword ptr fs:[00000030h]	9_2_00FC8918
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FC8918 mov eax, dword ptr fs:[00000030h]	9_2_00FC8918
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0109A8E4 mov eax, dword ptr fs:[00000030h]	9_2_0109A8E4
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100C8F9 mov eax, dword ptr fs:[00000030h]	9_2_0100C8F9
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100C8F9 mov eax, dword ptr fs:[00000030h]	9_2_0100C8F9
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104EB1D mov eax, dword ptr fs:[00000030h]	9_2_0104EB1D
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104EB1D mov eax, dword ptr fs:[00000030h]	9_2_0104EB1D
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104EB1D mov eax, dword ptr fs:[00000030h]	9_2_0104EB1D
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104EB1D mov eax, dword ptr fs:[00000030h]	9_2_0104EB1D
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104EB1D mov eax, dword ptr fs:[00000030h]	9_2_0104EB1D
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104EB1D mov eax, dword ptr fs:[00000030h]	9_2_0104EB1D
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104EB1D mov eax, dword ptr fs:[00000030h]	9_2_0104EB1D
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104EB1D mov eax, dword ptr fs:[00000030h]	9_2_0104EB1D
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104EB1D mov eax, dword ptr fs:[00000030h]	9_2_0104EB1D
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01098B28 mov eax, dword ptr fs:[00000030h]	9_2_01098B28
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01098B28 mov eax, dword ptr fs:[00000030h]	9_2_01098B28
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD0AD0 mov eax, dword ptr fs:[00000030h]	9_2_00FD0AD0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01084B4B mov eax, dword ptr fs:[00000030h]	9_2_01084B4B
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01084B4B mov eax, dword ptr fs:[00000030h]	9_2_01084B4B
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01078B42 mov eax, dword ptr fs:[00000030h]	9_2_01078B42
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01066B40 mov eax, dword ptr fs:[00000030h]	9_2_01066B40
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01066B40 mov eax, dword ptr fs:[00000030h]	9_2_01066B40
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0109AB40 mov eax, dword ptr fs:[00000030h]	9_2_0109AB40
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107EB50 mov eax, dword ptr fs:[00000030h]	9_2_0107EB50
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD8AA0 mov eax, dword ptr fs:[00000030h]	9_2_00FD8AA0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD8AA0 mov eax, dword ptr fs:[00000030h]	9_2_00FD8AA0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDEA80 mov eax, dword ptr fs:[00000030h]	9_2_00FDEA80
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDEA80 mov eax, dword ptr fs:[00000030h]	9_2_00FDEA80
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDEA80 mov eax, dword ptr fs:[00000030h]	9_2_00FDEA80
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDEA80 mov eax, dword ptr fs:[00000030h]	9_2_00FDEA80
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDEA80 mov eax, dword ptr fs:[00000030h]	9_2_00FDEA80
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDEA80 mov eax, dword ptr fs:[00000030h]	9_2_00FDEA80
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDEA80 mov eax, dword ptr fs:[00000030h]	9_2_00FDEA80
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDEA80 mov eax, dword ptr fs:[00000030h]	9_2_00FDEA80
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FDEA80 mov eax, dword ptr fs:[00000030h]	9_2_00FDEA80
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0A5B mov eax, dword ptr fs:[00000030h]	9_2_00FE0A5B
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0A5B mov eax, dword ptr fs:[00000030h]	9_2_00FE0A5B
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD6A50 mov eax, dword ptr fs:[00000030h]	9_2_00FD6A50
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD6A50 mov eax, dword ptr fs:[00000030h]	9_2_00FD6A50
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD6A50 mov eax, dword ptr fs:[00000030h]	9_2_00FD6A50
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD6A50 mov eax, dword ptr fs:[00000030h]	9_2_00FD6A50
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD6A50 mov eax, dword ptr fs:[00000030h]	9_2_00FD6A50
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD6A50 mov eax, dword ptr fs:[00000030h]	9_2_00FD6A50
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD6A50 mov eax, dword ptr fs:[00000030h]	9_2_00FD6A50
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01084BB0 mov eax, dword ptr fs:[00000030h]	9_2_01084BB0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01084BB0 mov eax, dword ptr fs:[00000030h]	9_2_01084BB0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF4A35 mov eax, dword ptr fs:[00000030h]	9_2_00FF4A35
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF4A35 mov eax, dword ptr fs:[00000030h]	9_2_00FF4A35
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFEA2E mov eax, dword ptr fs:[00000030h]	9_2_00FFEA2E
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107EBD0 mov eax, dword ptr fs:[00000030h]	9_2_0107EBD0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105CBF0 mov eax, dword ptr fs:[00000030h]	9_2_0105CBF0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFEBFC mov eax, dword ptr fs:[00000030h]	9_2_00FFEBFC
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD8BF0 mov eax, dword ptr fs:[00000030h]	9_2_00FD8BF0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD8BF0 mov eax, dword ptr fs:[00000030h]	9_2_00FD8BF0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD8BF0 mov eax, dword ptr fs:[00000030h]	9_2_00FD8BF0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0105CA11 mov eax, dword ptr fs:[00000030h]	9_2_0105CA11
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100CA24 mov eax, dword ptr fs:[00000030h]	9_2_0100CA24
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD0BCD mov eax, dword ptr fs:[00000030h]	9_2_00FD0BCD
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD0BCD mov eax, dword ptr fs:[00000030h]	9_2_00FD0BCD
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FD0BCD mov eax, dword ptr fs:[00000030h]	9_2_00FD0BCD
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF0BCB mov eax, dword ptr fs:[00000030h]	9_2_00FF0BCB
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF0BCB mov eax, dword ptr fs:[00000030h]	9_2_00FF0BCB
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF0BCB mov eax, dword ptr fs:[00000030h]	9_2_00FF0BCB
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100CA38 mov eax, dword ptr fs:[00000030h]	9_2_0100CA38
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0BBE mov eax, dword ptr fs:[00000030h]	9_2_00FE0BBE
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FE0BBE mov eax, dword ptr fs:[00000030h]	9_2_00FE0BBE
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0107EA60 mov eax, dword ptr fs:[00000030h]	9_2_0107EA60
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100CA6F mov eax, dword ptr fs:[00000030h]	9_2_0100CA6F
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100CA6F mov eax, dword ptr fs:[00000030h]	9_2_0100CA6F
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100CA6F mov eax, dword ptr fs:[00000030h]	9_2_0100CA6F
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104CA72 mov eax, dword ptr fs:[00000030h]	9_2_0104CA72
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0104CA72 mov eax, dword ptr fs:[00000030h]	9_2_0104CA72
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FCCB7E mov eax, dword ptr fs:[00000030h]	9_2_00FCCB7E
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_010A4A80 mov eax, dword ptr fs:[00000030h]	9_2_010A4A80
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01008A90 mov edx, dword ptr fs:[00000030h]	9_2_01008A90
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01026AA4 mov eax, dword ptr fs:[00000030h]	9_2_01026AA4
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01026ACC mov eax, dword ptr fs:[00000030h]	9_2_01026ACC
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01026ACC mov eax, dword ptr fs:[00000030h]	9_2_01026ACC
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01026ACC mov eax, dword ptr fs:[00000030h]	9_2_01026ACC
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01004AD0 mov eax, dword ptr fs:[00000030h]	9_2_01004AD0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01004AD0 mov eax, dword ptr fs:[00000030h]	9_2_01004AD0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFEB20 mov eax, dword ptr fs:[00000030h]	9_2_00FFEB20
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FFEB20 mov eax, dword ptr fs:[00000030h]	9_2_00FFEB20
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100AAEE mov eax, dword ptr fs:[00000030h]	9_2_0100AAEE
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_0100AAEE mov eax, dword ptr fs:[00000030h]	9_2_0100AAEE
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01088D10 mov eax, dword ptr fs:[00000030h]	9_2_01088D10
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01088D10 mov eax, dword ptr fs:[00000030h]	9_2_01088D10
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01004D1D mov eax, dword ptr fs:[00000030h]	9_2_01004D1D
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_01058D20 mov eax, dword ptr fs:[00000030h]	9_2_01058D20
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FCCCC8 mov eax, dword ptr fs:[00000030h]	9_2_00FCCCC8
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF8CB1 mov eax, dword ptr fs:[00000030h]	9_2_00FF8CB1
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Code function: 9_2_00FF8CB1 mov eax, dword ptr fs:[00000030h]	9_2_00FF8CB1

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: 11_2_00B80FE7 GetProcessHeap,HeapAlloc,GetLastError,GetProcessHeap,HeapFree,

11_2_00B80FE7

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_00B814D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		11_2_00B814D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 11_2_00B81720 SetUnhandledExceptionFilter,		11_2_00B81720

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 13.248.169.48 80

Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe"
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe"			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	NtQueueApcThread: Indirect: 0xDCA4F2			Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	NtClose: Indirect: 0xDCA56C

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe

Memory written: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Thread register set: target process: 3084			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Thread register set: target process: 3084			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe

Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: B70000

Jump to behavior

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe"	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Process created: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: 11_2_00B78DB2 AllocateAndInitializeSid,GetModuleHandleA,LoadLibraryExA,GetProcAddress,FreeSid,FreeLibrary,

11_2_00B78DB2

Source: explorer.exe, 0000000A.00000000.1316169278.00000000011A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.2553471704.00000000011A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000A.00000000.1318890344.0000000004630000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1316169278.00000000011A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.2553471704.00000000011A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.1316169278.00000000011A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.2553471704.00000000011A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000002.2552370081.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1312936026.0000000000A28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.1316169278.00000000011A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.2553471704.00000000011A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000A.00000000.1324844652.0000000009895000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2558052578.0000000009866000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd*

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Queries volume information: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: 11_2_00B81945 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

11_2_00B81945

Source: C:\Windows\SysWOW64\cmstp.exe

Code function: 11_2_00B7F80E GetSystemInfo,GetVersionExW,

11_2_00B7F80E

Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI 170325.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2553090331.0000000004560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2551980400.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1382937942.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2552999766.0000000004530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1315912461.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.#U00d6DEME DETAYLARI 170325.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2553090331.0000000004560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2551980400.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1382937942.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2552999766.0000000004530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1315912461.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 Command and Scripting Interpreter	Logon Script (Windows)	1 Access Token Manipulation	1 Abuse Elevation Control Mechanism	Security Account Manager	235 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	612 Process Injection	4 Obfuscated Files or Information	NTDS	241 Security Software Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	51 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Rootkit	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Masquerading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	51 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	612 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #U00d6DEME DETAYLARI 170325.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
#U00d6DEME DETAYLARI 170325.exe