Windows Analysis Report
#U00d6DEME DETAYLARI_PDF.exe

Overview

General Information

Sample Name: #U00d6DEME DETAYLARI_PDF.exe
Analysis ID: 612096
MD5: 55f4edc3a387f831d2fee28c7f6464d9
SHA1: 2ede67420207dd8a0c8284941032bd32a6c49c20
SHA256: 16395a650df60656b26e6dc7a6674c64a6348b5d24a93f171d8627c501698e61
Tags: AgentTeslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Sigma detected: Suspicious Outbound SMTP Connections
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Found malware configuration
Source: 0.2.#U00d6DEME DETAYLARI_PDF.exe.4046570.4.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@yapaszincir.com.tr", "Password": "Yapas-2021YP*", "Host": "mail.yapaszincir.com.tr"}
Machine Learning detection for sample
Source: #U00d6DEME DETAYLARI_PDF.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\OsAcNRt.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 9.2.#U00d6DEME DETAYLARI_PDF.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.12.unpack Avira: Label: TR/Spy.Gen8
Source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.6.unpack Avira: Label: TR/Spy.Gen8
Source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.10.unpack Avira: Label: TR/Spy.Gen8
Source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.8.unpack Avira: Label: TR/Spy.Gen8
Uses 32bit PE files
Source: #U00d6DEME DETAYLARI_PDF.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: #U00d6DEME DETAYLARI_PDF.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking
barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49748 -> 78.135.65.4:587
Source: Traffic Snort IDS: 2850920 ETPRO TROJAN MSIL/Kryptik.AEBF Sending Stolen Credentials to CnC 192.168.2.6:49748 -> 78.135.65.4:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.6:49748 -> 78.135.65.4:587
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49748 -> 78.135.65.4:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.6:49748 -> 78.135.65.4:587
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000009.00000002.626732315.00000000033F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000009.00000002.626732315.00000000033F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000009.00000002.626732315.00000000033F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://HuLJDa.com
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000003.366108384.00000000060D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://en.w
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000003.365039574.00000000060C6000.00000004.00000800.00020000.00000000.sdmp, #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000003.365091666.00000000060C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://en.wikipep
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000009.00000002.627600221.000000000370B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.yapaszincir.com.tr
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000009.00000002.627600221.000000000370B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://oZi3Kd9J6L9d6D.org
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.433081371.00000000060A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://purl.r
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.427513871.0000000002F91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000003.369548344.0000000006100000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000003.368458467.0000000006100000.00000004.00000800.00020000.00000000.sdmp, #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000003.368474145.0000000006100000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers-
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000003.368187688.0000000006100000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/J
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000003.374698181.0000000006100000.00000004.00000800.00020000.00000000.sdmp, #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000003.374796647.0000000006100000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersJHZH
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000003.374601381.0000000006100000.00000004.00000800.00020000.00000000.sdmp, #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000003.374860903.0000000006100000.00000004.00000800.00020000.00000000.sdmp, #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000003.374698181.0000000006100000.00000004.00000800.00020000.00000000.sdmp, #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000003.374796647.0000000006100000.00000004.00000800.00020000.00000000.sdmp, #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000003.369260326.0000000006100000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designerskH;H
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000003.368215300.00000000060D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.monotype.
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000003.364650790.00000000060E1000.00000004.00000800.00020000.00000000.sdmp, #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000003.364721712.00000000060E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comJ
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434923808.0000000007692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000009.00000002.627600221.000000000370B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://yapaszincir.com.tr
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000009.00000002.626732315.00000000033F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown DNS traffic detected: queries for: mail.yapaszincir.com.tr

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 9.2.#U00d6DEME DETAYLARI_PDF.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.#U00d6DEME DETAYLARI_PDF.exe.4046570.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.#U00d6DEME DETAYLARI_PDF.exe.4046570.4.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.#U00d6DEME DETAYLARI_PDF.exe.4012150.6.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.#U00d6DEME DETAYLARI_PDF.exe.4012150.6.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.#U00d6DEME DETAYLARI_PDF.exe.3f99930.5.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: #U00d6DEME DETAYLARI_PDF.exe
.NET source code contains very large array initializations
Source: 9.2.#U00d6DEME DETAYLARI_PDF.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bD14893DBu002dFD2Eu002d4623u002d876Au002dFAC0924E9482u007d/u0038B03A901u002dB6C9u002d4660u002dAAF9u002dE705CEA09F1A.cs Large array initialization: .cctor: array initializer size 11606
Source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007bD14893DBu002dFD2Eu002d4623u002d876Au002dFAC0924E9482u007d/u0038B03A901u002dB6C9u002d4660u002dAAF9u002dE705CEA09F1A.cs Large array initialization: .cctor: array initializer size 11606
Uses 32bit PE files
Source: #U00d6DEME DETAYLARI_PDF.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Yara signature match
Source: 9.2.#U00d6DEME DETAYLARI_PDF.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.#U00d6DEME DETAYLARI_PDF.exe.4046570.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.#U00d6DEME DETAYLARI_PDF.exe.4046570.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.#U00d6DEME DETAYLARI_PDF.exe.4012150.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.#U00d6DEME DETAYLARI_PDF.exe.4012150.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.#U00d6DEME DETAYLARI_PDF.exe.3f99930.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Detected potential crypto function
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 0_2_054B3C78 0_2_054B3C78
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 0_2_054BBB78 0_2_054BBB78
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 0_2_064B2370 0_2_064B2370
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 0_2_064B4AA8 0_2_064B4AA8
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_032BF3C8 9_2_032BF3C8
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_032BF080 9_2_032BF080
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_0651B718 9_2_0651B718
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_0651C468 9_2_0651C468
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_06510040 9_2_06510040
Sample file is different than original file name gathered from version info
Source: #U00d6DEME DETAYLARI_PDF.exe Binary or memory string: OriginalFilename vs #U00d6DEME DETAYLARI_PDF.exe
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.427513871.0000000002F91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBXbDcfeeUnpOrEaBmKCQDSJebEJWwohtlb.exe4 vs #U00d6DEME DETAYLARI_PDF.exe
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.434419676.00000000064D0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameIntrospective.dll" vs #U00d6DEME DETAYLARI_PDF.exe
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.437355287.0000000007F20000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs #U00d6DEME DETAYLARI_PDF.exe
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.428463798.0000000003F91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBXbDcfeeUnpOrEaBmKCQDSJebEJWwohtlb.exe4 vs #U00d6DEME DETAYLARI_PDF.exe
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.428463798.0000000003F91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs #U00d6DEME DETAYLARI_PDF.exe
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000003.391144282.0000000007D62000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameX509Consta.exe6 vs #U00d6DEME DETAYLARI_PDF.exe
Source: #U00d6DEME DETAYLARI_PDF.exe Binary or memory string: OriginalFilename vs #U00d6DEME DETAYLARI_PDF.exe
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000009.00000000.415725263.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBXbDcfeeUnpOrEaBmKCQDSJebEJWwohtlb.exe4 vs #U00d6DEME DETAYLARI_PDF.exe
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000009.00000002.625573836.00000000014F8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs #U00d6DEME DETAYLARI_PDF.exe
Source: #U00d6DEME DETAYLARI_PDF.exe Binary or memory string: OriginalFilenameX509Consta.exe6 vs #U00d6DEME DETAYLARI_PDF.exe
PE file contains strange resources
Source: #U00d6DEME DETAYLARI_PDF.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: OsAcNRt.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: #U00d6DEME DETAYLARI_PDF.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: OsAcNRt.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe File read: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Jump to behavior
Source: #U00d6DEME DETAYLARI_PDF.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe "C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe"
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OsAcNRt.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OsAcNRt" /XML "C:\Users\user\AppData\Local\Temp\tmp9B9E.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process created: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OsAcNRt.exe Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OsAcNRt" /XML "C:\Users\user\AppData\Local\Temp\tmp9B9E.tmp Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process created: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe File created: C:\Users\user\AppData\Roaming\OsAcNRt.exe Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe File created: C:\Users\user\AppData\Local\Temp\tmp9B9E.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@12/11@2/1
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Mutant created: \Sessions\1\BaseNamedObjects\EAjnjmheoUcjWGQsKjbIxGInKU
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3676:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4232:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6696:120:WilError_01
Source: 9.2.#U00d6DEME DETAYLARI_PDF.exe.400000.0.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.2.#U00d6DEME DETAYLARI_PDF.exe.400000.0.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.12.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.12.unpack, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: #U00d6DEME DETAYLARI_PDF.exe Static file information: File size 1051136 > 1048576
Source: #U00d6DEME DETAYLARI_PDF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: #U00d6DEME DETAYLARI_PDF.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: #U00d6DEME DETAYLARI_PDF.exe, Bx/rJ.cs .Net Code: WT System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: OsAcNRt.exe.0.dr, Bx/rJ.cs .Net Code: WT System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.#U00d6DEME DETAYLARI_PDF.exe.c70000.0.unpack, Bx/rJ.cs .Net Code: WT System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.#U00d6DEME DETAYLARI_PDF.exe.c70000.0.unpack, Bx/rJ.cs .Net Code: WT System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.fb0000.1.unpack, Bx/rJ.cs .Net Code: WT System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.fb0000.5.unpack, Bx/rJ.cs .Net Code: WT System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.fb0000.13.unpack, Bx/rJ.cs .Net Code: WT System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.fb0000.11.unpack, Bx/rJ.cs .Net Code: WT System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.fb0000.0.unpack, Bx/rJ.cs .Net Code: WT System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.#U00d6DEME DETAYLARI_PDF.exe.fb0000.1.unpack, Bx/rJ.cs .Net Code: WT System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 0_2_054B01F7 push E802005Eh; retf 0_2_054B0201
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 0_2_064B1670 push es; ret 0_2_064B1680
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 0_2_064BF628 pushfd ; ret 0_2_064BF629
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 0_2_064BE430 push es; retn 0004h 0_2_064BE440
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 0_2_064B1540 push es; ret 0_2_064B1550
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 0_2_064BC15E push es; ret 0_2_064BC160
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_0651B660 push es; ret 9_2_0651B670
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_0651A795 push ecx; ret 9_2_0651A7D0
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_0651A781 push es; ret 9_2_0651A784
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_0651AA79 push ecx; ret 9_2_0651AA7C
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_0651AA11 push ecx; ret 9_2_0651AA14
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_0651AA15 push ecx; ret 9_2_0651AA18
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_0651AA19 push ecx; ret 9_2_0651AA1C
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_0651AA1D push ecx; ret 9_2_0651AA20
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_0651AA0D push ecx; ret 9_2_0651AA10
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_0651AA31 push es; ret 9_2_0651AA34
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_0651AA21 push ecx; ret 9_2_0651AA24
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_0651AA25 push ecx; ret 9_2_0651AA28
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_0651AA29 push es; ret 9_2_0651AA2C
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_0651AA2D push es; ret 9_2_0651AA30
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_0651A819 push ecx; ret 9_2_0651A81C
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_0651A82D push es; ret 9_2_0651A868
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_0651A8C5 push es; ret 9_2_0651A900
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_0651A8B1 push ecx; ret 9_2_0651A8B4
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_0651A949 push ecx; ret 9_2_0651A94C
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_0651A975 push es; ret 9_2_0651A998
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_06513139 push es; iretd 9_2_0651313C
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_0651A9C1 push es; ret 9_2_0651A9E4
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Code function: 9_2_0651A9F5 push es; ret 9_2_0651AA0C
Source: initial sample Static PE information: section name: .text entropy: 7.96404996685
Source: initial sample Static PE information: section name: .text entropy: 7.96404996685
Drops PE files
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe File created: C:\Users\user\AppData\Roaming\OsAcNRt.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OsAcNRt" /XML "C:\Users\user\AppData\Local\Temp\tmp9B9E.tmp
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.427513871.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: #U00d6DEME DETAYLARI_PDF.exe PID: 6816, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.427513871.0000000002F91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.427513871.0000000002F91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe TID: 6808 Thread sleep time: -45733s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 688 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2556 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6640 Thread sleep count: 6500 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6908 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6640 Thread sleep count: 1599 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6736 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe TID: 4104 Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe TID: 6504 Thread sleep count: 5241 > 30
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe TID: 6504 Thread sleep count: 3509 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2633 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6500 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1599 Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Window / User API: threadDelayed 5241
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Window / User API: threadDelayed 3509
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Thread delayed: delay time: 45733 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Thread delayed: delay time: 922337203685477
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.427513871.0000000002F91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.427513871.0000000002F91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.427513871.0000000002F91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: #U00d6DEME DETAYLARI_PDF.exe, 00000000.00000002.427513871.0000000002F91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Enables debug privileges
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Memory written: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe base: 400000 value starts with: 4D5A Jump to behavior
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OsAcNRt.exe
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OsAcNRt.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OsAcNRt.exe Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OsAcNRt" /XML "C:\Users\user\AppData\Local\Temp\tmp9B9E.tmp Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Process created: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe VolumeInformation
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 9.2.#U00d6DEME DETAYLARI_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.#U00d6DEME DETAYLARI_PDF.exe.4046570.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.#U00d6DEME DETAYLARI_PDF.exe.4046570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.#U00d6DEME DETAYLARI_PDF.exe.4012150.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.#U00d6DEME DETAYLARI_PDF.exe.4012150.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.#U00d6DEME DETAYLARI_PDF.exe.3f99930.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000000.415725263.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.624993533.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.428463798.0000000003F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.414521460.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.413814549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.415158758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.626732315.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: #U00d6DEME DETAYLARI_PDF.exe PID: 6816, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: #U00d6DEME DETAYLARI_PDF.exe PID: 6972, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\#U00d6DEME DETAYLARI_PDF.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Yara detected Credential Stealer
Source: Yara match File source: 00000009.00000002.626732315.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: #U00d6DEME DETAYLARI_PDF.exe PID: 6972, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 9.2.#U00d6DEME DETAYLARI_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.#U00d6DEME DETAYLARI_PDF.exe.4046570.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.#U00d6DEME DETAYLARI_PDF.exe.4046570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.#U00d6DEME DETAYLARI_PDF.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.#U00d6DEME DETAYLARI_PDF.exe.4012150.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.#U00d6DEME DETAYLARI_PDF.exe.4012150.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.#U00d6DEME DETAYLARI_PDF.exe.3f99930.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000000.415725263.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.624993533.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.428463798.0000000003F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.414521460.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.413814549.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.415158758.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.626732315.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: #U00d6DEME DETAYLARI_PDF.exe PID: 6816, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: #U00d6DEME DETAYLARI_PDF.exe PID: 6972, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 612096 Sample: #U00d6DEME DETAYLARI_PDF.exe Startdate: 20/04/2022 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 13 other signatures 2->45 7 #U00d6DEME DETAYLARI_PDF.exe 7 2->7         started        process3 file4 27 C:\Users\user\AppData\Roaming\OsAcNRt.exe, PE32 7->27 dropped 29 C:\Users\user\...\OsAcNRt.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmp9B9E.tmp, XML 7->31 dropped 33 C:\Users\...\#U00d6DEME DETAYLARI_PDF.exe.log, ASCII 7->33 dropped 47 Adds a directory exclusion to Windows Defender 7->47 49 Injects a PE file into a foreign processes 7->49 11 #U00d6DEME DETAYLARI_PDF.exe 7->11         started        15 powershell.exe 24 7->15         started        17 powershell.exe 25 7->17         started        19 schtasks.exe 7->19         started        signatures5 process6 dnsIp7 35 yapaszincir.com.tr 78.135.65.4, 49748, 587 PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR Turkey 11->35 37 mail.yapaszincir.com.tr 11->37 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->51 53 Tries to steal Mail credentials (via file / registry access) 11->53 55 Tries to harvest and steal ftp login credentials 11->55 57 Tries to harvest and steal browser information (history, passwords, etc) 11->57 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
78.135.65.4
 yapaszincir.com.tr Turkey
42910 PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR true

Contacted Domains

Name IP Active
yapaszincir.com.tr 78.135.65.4 true
mail.yapaszincir.com.tr unknown unknown