Loading ...

Play interactive tourEdit tour

Analysis Report Ticari Hesap #U00d6zetiniz_pdf.exe

Overview

General Information

Sample Name:Ticari Hesap #U00d6zetiniz_pdf.exe
Analysis ID:289563
MD5:4a3adf56a1c218667fb211f32b7f69f0
SHA1:c0b4b89bc56ebebd065143706c5151acb4dc273b
SHA256:ce81c9965b8852eee4df2bd7cc77cf589554943fa47766d07bd8bae6d16d7ce3

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Ticari Hesap #U00d6zetiniz_pdf.exe (PID: 6916 cmdline: 'C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe' MD5: 4A3ADF56A1C218667FB211F32B7F69F0)
    • Ticari Hesap #U00d6zetiniz_pdf.exe (PID: 6972 cmdline: {path} MD5: 4A3ADF56A1C218667FB211F32B7F69F0)
      • netsh.exe (PID: 6492 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "hPcvgbMjrX", "URL: ": "https://GSzQt0QycpXONkfqg.com", "To: ": "noekons@gmail.com", "ByHost: ": "mail.hospitalveterinariosur.com:587", "Password: ": "VZobWjcR", "From: ": "info@hospitalveterinariosur.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.469988690.000000000316C000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.469988690.000000000316C000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000001.00000002.471164209.00000000032D3000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.222253615.000000000388A000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000001.00000002.466432929.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.Ticari Hesap #U00d6zetiniz_pdf.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Capture Wi-Fi passwordShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe, ParentProcessId: 6972, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 6492

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe.6972.1.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "hPcvgbMjrX", "URL: ": "https://GSzQt0QycpXONkfqg.com", "To: ": "noekons@gmail.com", "ByHost: ": "mail.hospitalveterinariosur.com:587", "Password: ": "VZobWjcR", "From: ": "info@hospitalveterinariosur.com"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: Ticari Hesap #U00d6zetiniz_pdf.exeVirustotal: Detection: 68%Perma Link
              Machine Learning detection for sampleShow sources
              Source: Ticari Hesap #U00d6zetiniz_pdf.exeJoe Sandbox ML: detected
              Source: 1.2.Ticari Hesap #U00d6zetiniz_pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: global trafficTCP traffic: 192.168.2.4:49728 -> 78.142.63.55:587
              Source: Joe Sandbox ViewIP Address: 78.142.63.55 78.142.63.55
              Source: Joe Sandbox ViewASN Name: TELEPOINTBG TELEPOINTBG
              Source: global trafficTCP traffic: 192.168.2.4:49728 -> 78.142.63.55:587
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_011BA186 recv,1_2_011BA186
              Source: unknownDNS traffic detected: queries for: mail.hospitalveterinariosur.com
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.472989919.00000000061F0000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.col
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.471114561.00000000032BC000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.471114561.00000000032BC000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0C
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.471114561.00000000032BC000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.472989919.00000000061F0000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.l
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.471114561.00000000032BC000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.471114561.00000000032BC000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.200810816.000000000060D000.00000004.00000001.sdmpString found in binary or memory: http://en.w~
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.471114561.00000000032BC000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.471114561.00000000032BC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.222904430.0000000004950000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/DataSet1.xsd
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.202706309.0000000004ADE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.203060350.0000000004ADE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.come
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.203060350.0000000004ADE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comen
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.202684670.0000000004ADE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comgy
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.203060350.0000000004ADE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comncyU
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.202845097.0000000004ADE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comnew
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.202845097.0000000004ADE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comuct
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.205922275.0000000004AA4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmp, Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.204804780.0000000004AD5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.204612769.0000000004AD5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmp, Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.205010629.0000000004AD5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.204661068.0000000004AD5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers2
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.205698920.0000000004AD5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersF
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.209276307.0000000004AD5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerse
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.205032892.0000000004AD5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.205698920.0000000004AD5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersx
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.204826502.0000000004AD5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersz
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.205922275.0000000004AA4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.205922275.0000000004AA4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFLY
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.218371237.0000000004AA0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comLY
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.205922275.0000000004AA4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comTTFdbY2
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.205922275.0000000004AA4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.205922275.0000000004AA4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomd
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.218371237.0000000004AA0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comionmZX
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.205922275.0000000004AA4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.201167444.0000000004ABB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com-u
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.201167444.0000000004ABB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.201219125.0000000004ABB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comccz
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.201167444.0000000004ABB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.201219125.0000000004ABB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comorGz?
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmp, Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.202324310.0000000004AA4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.202466108.0000000004AA4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.202324310.0000000004AA4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn0Wb
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.202466108.0000000004AA4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cne
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.202312653.0000000004ADD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-g
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.202312653.0000000004ADD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnp
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.207264525.0000000004AAD000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.201035622.0000000004ABB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comK:
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.201035622.0000000004ABB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comit
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmp, Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.202008933.0000000004AA6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.202008933.0000000004AA6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krndor
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmp, Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.201414648.0000000004ABB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.201445275.0000000004ABB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com2zr
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.201414648.0000000004ABB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comcz
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000003.201470681.0000000004ABB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.commz
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.224152354.0000000005D32000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.471114561.00000000032BC000.00000004.00000001.sdmp, Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.471164209.00000000032D3000.00000004.00000001.sdmpString found in binary or memory: https://GSzQt0QycpXONkfqg.com

              System Summary:

              barindex
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: Ticari Hesap #U00d6zetiniz_pdf.exe
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_06B60962 NtQuerySystemInformation,0_2_06B60962
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_06B60927 NtQuerySystemInformation,0_2_06B60927
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_011BB362 NtQuerySystemInformation,1_2_011BB362
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_011BB331 NtQuerySystemInformation,1_2_011BB331
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_0485F6C00_2_0485F6C0
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_048526000_2_04852600
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_04858A280_2_04858A28
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_0485BA600_2_0485BA60
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_048557D00_2_048557D0
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_04852B100_2_04852B10
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_04854F580_2_04854F58
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_048547780_2_04854778
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_0485F4080_2_0485F408
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_04853C380_2_04853C38
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_048584500_2_04858450
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_048588500_2_04858850
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_048588600_2_04858860
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_048584600_2_04858460
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_0485C8780_2_0485C878
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_048571980_2_04857198
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_0485BD080_2_0485BD08
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_048595280_2_04859528
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_0485C2900_2_0485C290
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_04857EA10_2_04857EA1
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_04857EB00_2_04857EB0
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_048546D00_2_048546D0
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_04858A190_2_04858A19
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_048586500_2_04858650
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_048586600_2_04858660
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_048557C00_2_048557C0
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_04852B000_2_04852B00
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_04854F480_2_04854F48
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_065313500_2_06531350
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_065300700_2_06530070
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053FF9191_2_053FF919
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F6D581_2_053F6D58
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053FD0021_2_053FD002
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053FEF381_2_053FEF38
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053FF3E81_2_053FF3E8
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053FE2101_2_053FE210
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F0E701_2_053F0E70
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F8A511_2_053F8A51
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053FBE981_2_053FBE98
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053FEA821_2_053FEA82
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F9AE01_2_053F9AE0
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F41611_2_053F4161
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F8DBA1_2_053F8DBA
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F29B91_2_053F29B9
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F65F81_2_053F65F8
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F2C2C1_2_053F2C2C
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F34161_2_053F3416
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F00061_2_053F0006
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053FF4771_2_053FF477
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053FA0761_2_053FA076
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F34B21_2_053F34B2
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053FCC9D1_2_053FCC9D
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F248B1_2_053F248B
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F0E701_2_053F0E70
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F370D1_2_053F370D
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F8F691_2_053F8F69
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F9F471_2_053F9F47
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F27D01_2_053F27D0
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F43C71_2_053F43C7
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053FC6301_2_053FC630
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053FE2001_2_053FE200
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F2E6D1_2_053F2E6D
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F3A611_2_053F3A61
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F2A521_2_053F2A52
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F9E481_2_053F9E48
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F3AFD1_2_053F3AFD
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F2AEB1_2_053F2AEB
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053FE6E01_2_053FE6E0
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F9EDA1_2_053F9EDA
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F72D41_2_053F72D4
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.218734434.000000000009E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamerM7.exe2 vs Ticari Hesap #U00d6zetiniz_pdf.exe
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.219931830.000000000288F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSKLWBxrcuohFBdTFqIBtrNsTgxbVlFetfwZjtM.exe4 vs Ticari Hesap #U00d6zetiniz_pdf.exe
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.225449038.0000000006B70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs Ticari Hesap #U00d6zetiniz_pdf.exe
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.222904430.0000000004950000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWinRar.dll. vs Ticari Hesap #U00d6zetiniz_pdf.exe
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.225150450.0000000006800000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Ticari Hesap #U00d6zetiniz_pdf.exe
              Source: Ticari Hesap #U00d6zetiniz_pdf.exeBinary or memory string: OriginalFilename vs Ticari Hesap #U00d6zetiniz_pdf.exe
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.472882615.0000000006030000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Ticari Hesap #U00d6zetiniz_pdf.exe
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.472341182.00000000055D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Ticari Hesap #U00d6zetiniz_pdf.exe
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.472869126.0000000006020000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs Ticari Hesap #U00d6zetiniz_pdf.exe
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.466985985.0000000000AEE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamerM7.exe2 vs Ticari Hesap #U00d6zetiniz_pdf.exe
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.472795637.0000000005FA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Ticari Hesap #U00d6zetiniz_pdf.exe
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.466770442.000000000044E000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameSKLWBxrcuohFBdTFqIBtrNsTgxbVlFetfwZjtM.exe4 vs Ticari Hesap #U00d6zetiniz_pdf.exe
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.472294794.00000000054B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs Ticari Hesap #U00d6zetiniz_pdf.exe
              Source: Ticari Hesap #U00d6zetiniz_pdf.exeBinary or memory string: OriginalFilenamerM7.exe2 vs Ticari Hesap #U00d6zetiniz_pdf.exe
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeSection loaded: security.dllJump to behavior
              Source: Ticari Hesap #U00d6zetiniz_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/1@1/1
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_06B603AE AdjustTokenPrivileges,0_2_06B603AE
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_06B60377 AdjustTokenPrivileges,0_2_06B60377
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_011BB1E6 AdjustTokenPrivileges,1_2_011BB1E6
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_011BB1AF AdjustTokenPrivileges,1_2_011BB1AF
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Ticari Hesap #U00d6zetiniz_pdf.exe.logJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2992:120:WilError_01
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: Ticari Hesap #U00d6zetiniz_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Ticari Hesap #U00d6zetiniz_pdf.exeVirustotal: Detection: 68%
              Source: unknownProcess created: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe 'C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe {path}
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess created: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Ticari Hesap #U00d6zetiniz_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
              Source: Ticari Hesap #U00d6zetiniz_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: mscorrc.pdb source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.225150450.0000000006800000.00000002.00000001.sdmp, Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.472795637.0000000005FA0000.00000002.00000001.sdmp

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, CultureSet.cs.Net Code: ZAQ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.Ticari Hesap #U00d6zetiniz_pdf.exe.10000.0.unpack, CultureSet.cs.Net Code: ZAQ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.Ticari Hesap #U00d6zetiniz_pdf.exe.10000.0.unpack, CultureSet.cs.Net Code: ZAQ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 1.0.Ticari Hesap #U00d6zetiniz_pdf.exe.a60000.0.unpack, CultureSet.cs.Net Code: ZAQ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 1.2.Ticari Hesap #U00d6zetiniz_pdf.exe.a60000.1.unpack, CultureSet.cs.Net Code: ZAQ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_048540E5 push esi; iretd 0_2_048540E6
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 0_2_04859062 push ds; ret 0_2_04859063
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F15EA push cs; ret 1_2_053F15EB
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F19E4 push es; iretd 1_2_053F19E7
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053F19D4 push ss; iretd 1_2_053F19D7
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053FB379 push esp; retf 1_2_053FB37B
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_05CF1F8B push ds; iretd 1_2_05CF1F8E
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_05CF1780 push ss; iretd 1_2_05CF1782
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_05CF1F90 push ds; iretd 1_2_05CF1F92
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_05CF077B push es; iretd 1_2_05CF077E
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_05CF177B push ss; iretd 1_2_05CF177E
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_05CF0F77 push cs; iretd 1_2_05CF0F7A
              Source: initial sampleStatic PE information: section name: .text entropy: 7.90317075134
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: Process Memory Space: Ticari Hesap #U00d6zetiniz_pdf.exe PID: 6916, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.220798552.0000000002A80000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.220798552.0000000002A80000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6920Thread sleep time: -33000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6936Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -89673s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -59594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -59376s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -88641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -117752s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -58688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -87750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -58282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -58000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -115564s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -86391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -86064s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -85032s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -113000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -84423s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -111188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -110752s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -82782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -55000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -109000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -108564s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -54094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -53876s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -79782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -79500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -52782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -78141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -51876s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -77532s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -77250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -76500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -76173s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -50594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -75564s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -74532s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -99000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -73923s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -72891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -96752s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -72282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -48000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -95000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -70923s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -70641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -70314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -69282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -69000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -67641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -67314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -44688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -44500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -88000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -43782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -43376s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -42688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -42282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -41594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -62064s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -41188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -41000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -40500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -60423s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -40094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -58782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -58500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -38782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -57141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -56814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -74000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -55173s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -36594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -35688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -53250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -51891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -34376s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -34188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -34000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -50250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -33282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -32188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -48000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -46641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -46314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -45000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -44673s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -43032s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -42750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -41064s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -39750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -39423s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -37782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -59500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -85314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -56000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -83673s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -54688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -80391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -80064s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -78750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -78423s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -76782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -75141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -49876s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -49000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -48782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -47688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -69564s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -68250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -67923s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -66282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -43500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -43282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -64641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -42876s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -42188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -42000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -41782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -41094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -40876s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -40688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -40000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -59391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -39376s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -38500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -57423s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -37376s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -55782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -36282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -54141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -53814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -35188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -52500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -52173s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -34094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -33876s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -33688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -49500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -49173s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -48891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -47532s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -31500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -30594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exe TID: 6228Thread sleep time: -30376s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeLast function: Thread delayed
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.472341182.00000000055D0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.220798552.0000000002A80000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.220798552.0000000002A80000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.220798552.0000000002A80000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.467671408.00000000010D2000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.220798552.0000000002A80000.00000004.00000001.sdmpBinary or memory string: VMWARE
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.220798552.0000000002A80000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.472341182.00000000055D0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.472341182.00000000055D0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.220798552.0000000002A80000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.220798552.0000000002A80000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000000.00000002.220798552.0000000002A80000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.467844725.0000000001167000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: Ticari Hesap #U00d6zetiniz_pdf.exe, 00000001.00000002.472341182.00000000055D0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeCode function: 1_2_053FF919 LdrInitializeThunk,1_2_053FF919
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\Ticari Hesap #U00d6zetiniz_pdf.exeMemory allocated: page read and write | page guard